Hacker News new | past | comments | ask | show | jobs | submit login
Falsehoods Programmers Believe About Phone Numbers (2016) (github.com/googlei18n)
451 points by striking on Feb 21, 2019 | hide | past | favorite | 198 comments

I have/had a Facebook account with a phone number. The account was left unused for a few years. Recently, I used my E-mail to reset its password, unfortunately, since the account was abandoned for a long time, the system flagged my activity as "suspicious" automatically, and asks me for confirmation using my phone number.

But I no longer own that number.

And from the customer Q&A forum, I realized I was not the only one - it is almost impossible to find an actual human from Facebook to solve this kind of verification problem.

All I wanted is to delete it, but I can't. Now, my account becomes a zombie, can't be used, can't be deleted, and has lots of personal information. All thanks to the falsehoods Facebook programmers believed about phone numbers, and its non-existent "customer [0]" service.

I've heard Google has similar issues [1], if the machine works, then everything is fine, until you need a human...

Repeat after me: fxxk Facebook.

[0] because I'm the product, not the customer?

[1] https://news.ycombinator.com/item?id=18886804,

and read this comment, https://news.ycombinator.com/item?id=18887548

Storytime: I bounce between Japan and Korea for work. I was in Seoul for about a year and a half and naturally had a Korean phone number. I used this number to sign up for Line (a popular chat service in the two countries), and I also linked my email address to the account. So when it was time to move back to Japan, I naturally canceled my Korean phone service.

Fast forward 6 months, and my Line account suddenly disappears. I contact customer service, and it seems someone else had registered for Line with my previous phone number -- which was of course release when I canceled my service with the telecom in Korea. I was informed that it's Line's policy to only allow one account per phone number, and thus they deleted my old account when the other person registered. There was no way to recover it. I even reached out to one of my engineering friends that worked for Line, at the time.

Some of my friends, I only knew and communicated with through Line, and I have no way to find or contact them again.

So yeah, fxxk using phone numbers as identification.

This is why I'm not a fan of mobile apps that force you to use your number. Sadly the most popular apps all the cool kids are using (your friends) are the most inconvenient in some regards. I wish Signal would let me use an email instead so I can use it from a tablet, but they insist on keeping my phone number instead. Signal made sense to use with phone numbers when they encrypted SMS but they no longer do messaging without data so it makes no sense to me.

Line is the worse violator of these principles. Last I used it, in order to install it on another device, you had to back up all that device's data (contacts, etc) to a computer, put your account on another device which then triggers a non negotiable wipe of the other device's data whenever it connects to the internet, then download the backup to your new device. Hell.

The first of the two bad thing about Line is that connection to a phone number. Wife got a new iPad, and, because of the other bad thing - that Line only works on a single device - it had to be 'moved' to the new iPad. Which needs a confirmation by phone message. And that phone was in Japan, unlike my wife, and wouldn't have worked for text messages even if she had brought it (phone plan didn't allow international calls or text). Contacted Line and got all kinds of useless advice - at least there are people in the other end - but nothing worked.

Had to create a new account.

The backing-up and restore is the easy part. Not much help if you can't move the account due to that silly phone number lock-in.

All these problems would be solved if they allowed us to use Google voice number. It is a number that's attached to my email and one that I won't discard (assuming I would lose it due to in activity). But no. Even Uber doesn't allow me to use a Google voice number.

you can get a Google Voice number only if you are in the US, at least when I tried to get one last year it was impossible from Italy.

Looks like I got lucky, I ran into this where a while after moving a switched to a new phone and couldn't activate line because I didn't have the old number anymore. However I managed to sort it out with the line customer service (even though some of the questions like "when did you first register your line account" I could only guestimate because it was so long ago).

Similar thing happened to me with LINE - didn't have anyone else registering with the same number AFAIK, but simply having lost my session and the registered number meant I lost that account and had to register a new one.

You should have move your number to Japanese number though.

I do have a Japanese number. Perhaps you meant I should have linked my account to my number here?

I'm sure there are things I could have done to prevent it from happening, but I had no reason to believe Line would simply delete my account, as it was linked to my email address. In fact, I only used the number for the initial registration. After that, I only used my email/password combo to log in.

What you would have to do is to have the Japanese and Korean phones/numbers available at the same time, from the same place, and then change the phone number. Which is not something that is always possible - re. my post above.

As you, I only used the number for the initial registration - and I suspect that what's everybody do. I have no idea what the phone number should be used for outside of that. I'm not sure why Line (well, Naver, the company) does it that way. Others, including Skype (which would need the same level of 'verification') manage it better.

No, as much as I hate Facebook: fuck phone numbers. The idea of using phone number as a personal identification tool is so bad, I'm struggling to believe this is not some kind of conspiracy designed for the solely purpose of mocking the user. It is bad enough that phone numbers exist at all in the eyes of the end user by the year 2019, 15 years after Skype with user-friendly logins appeared and when about a half of the planet uses the phone almost solely for the purpose of having a pocket-size internet access device anyway. But making phone numbers a passport of sorts (a proprietary, insecure, easy to lose passport, over which you have basically no control) is the worst, the most stupid/evil idea ever. And there's no way around it, it is used by (supposedly "secure") whatsapp, telegram, google, facebook, every fucking pizza delivery service and, well, basically everything else. And I hate every single person responsible for helping that happen.

Seriously, I would do everything I can to destroy fucking phone numbers, but I have no idea how can we stop this madness.

> a proprietary, insecure, easy to lose passport

> 15 years after Skype

I agree with your general sentiment, but the two phrases I picked out are where you have it backward. Phone numbers are not proprietary. They're difficult to move, but if you're a customer with one phone company you can call a customer of a different phone company using a phone number.

Skype is proprietary. It belongs to a single company. Customers of Skype or Facetime or Slack or Hangout cannot simply contact each other across services.

Yes, phone numbers need to be replaced. They need to be replaced by an open solution, not a proprietary solution like Skype.

You do not own the phone number, your phone company does, and the implementation is a chip that you can physically "own" but can't control or know what happens inside.

> conspiracy designed for the solely purpose of mocking the user

slightly paraphrasing Hanlon's razor: don't attribute to a conspiracy that which is adequately explained by stupidity

> Seriously, I would do everything I can to destroy fucking phone numbers, but I have no idea how can we stop this madness.

I assume throwing away your phone isn't a solution for most people who grew up with one. Works for me though. :)

Well, I don't have a phone - have never had a mobile phone. So..I have other problems instead I guess. But not that one.

As far as I can see the vast majority of "serious" registration schemes on the net have a phone number field which is mandatory to fill in. Mobile phone even, in some cases. You're not allowed to not have one. Soon you'll have men in black asking you what you're up to if you don't have one.

Before switching to Linux I thought it would be hard to live without Windows. it wasn't.

Before purging Facebook and Twitter from my life I thought it would be inconvenient to live without them, it isn't.

Living without a phone looks inconvenient, but I think I'm going to try it some time this year.

seconded :) .. it's the best you can do for your mental health and actually "stay connected" for real!

same, i don't have a phone number. my biggest issue is with one of my two banks, but the other one works just fine without any cellphone.

Hi there! I thought it was just me. I do have a couple of older friends aged 70+ without mobiles, but that's all I knew of. :-)

hi! indeed, i don't know many other people without a cellphone, but it's not like I ask every time. there should be dozens of us, dozens.

Do you know low tech magazine? https://www.lowtechmagazine.com/

Hehehe. No I didn't, thanks, looks fascinating.

anti-spam, they said... and you also have this (vomit),


Yes Facebook is using your 2FA phone number to target you with ads

> making phone numbers a passport of sorts (a proprietary, insecure, easy to lose passport, over which you have basically no control)

Phones are an imperfect solution for two-factor authentication but nothing else is as widely available.

There are also very well-supported ways to recover access to your phone number if the physical device is lost or stolen: Contact your phone company, present legal ID and get a new sim card.

pro tip: Telegram requires a phone number for registration, but then you don't need a phone to use it. You can link an account to a burner phone and then you can set up a password. With that password, even if the phone number get reassigned, they can't have access to your account.

> With that password, even if the phone number get reassigned, they can't have access to your account.

I wonder what happens if you acquire that phone number and decide to make it your main one. Hopefully support staff have a way of checking if the old user's active, and asking them to change their account to a number they actually have access to.

if security is a concern don't use Telegram :)

Telegram is way safer than using a cellphone :)

But yeah, Telegram shouldn't be used for really sensitive stuff.

What do you suggest? Give everyone their own domain name? Phone numbers are more portable than third-party emails or logins to proprietary services like Skype. They can be moved from provider-to-provider.

I mean, why not? Doesn't even have to be a full domain name, even just assigning everyone their individual IPv6 address would work.

Now, my account becomes a zombie, can't be used, can't be deleted, and has lots of personal information. All thanks to the falsehoods Facebook programmers believed about phone numbers, and its non-existent "customer [0]" service.

I think it's naive to think that this wasn't decided at the product level. This exact scenario was discussed, along with many others like it, and this is how they decided to handle it. "So they'll have a profile up with their personal information, maybe some embarrassing stuff they posted in college, and now they're adult and looking for a job and it'll be up forever looking like they intentionally left it that way?" "Yes." "Okay." "It's fine." "I mean...." "Do you have a solution that doesn't cost money?" "No, but...." "So you want to propose we spend money fixing this?" "...." "Okay, so we're agreed that this is fine. Moving on."

We're in an age where it's scary to lose access to an e-mail addresses or phone number are at the top of that list.

I don't mean to change it, I mean to lose access to it. If you change it, find a way to hold onto access to the last one.

I learned this lesson relatively easily. I had a vanity domain that also received my e-mail and I eventually replaced it with a different one. I ran the new domain and e-mail for a few years before allowing the domain registration on the old one to expire. I hadn't received (non-spam) e-mail on it in a couple years, seemed safe enough.

Turns out I've had a few websites over the year since that I wanted to login to and I needed to recover my password, either because I forgot or the site had forced a reset due to a breach. I hadn't updated my e-mail on a few of those sites.

I don't think I'll let go of a main e-mail address or phone number again.

This story seems perfectly relevant - "computers don't argue" https://www.atariarchives.org/bcc2/showpage.php?page=133

It's a perfect story! Hard to believe that the story was written in 1966, it resembles a common argument with your ISP. ;-) And we also have government employees who cannot pass the Turing test...

(to other readers: click "next page" to read the rest of the story)

The most absurd aspect of my Facebook verification problem is, despite my account has been frozen due to "suspicious activities", their system is still sending those automated mail notices to remind me returning to Facebook for those activities I've been missed on my timeline!


> I've heard Google has similar issues, if the machine works, then everything is fine, until you need a human...

I have had great support via phone, chat, and email with google a number of times over the past 3 years, and I live on an island foreign to Google in the middle of the Pacific Ocean. My experience has been that if you're using a paid Google product, the support is excellent.

I have similar experience with most paid services online, so I think the point is clear - you have to be an actual customer with your payment, although it won't guarantee that you will be treated nicely as a customer, but otherwise, it's certain that you are almost always the product.

If the number has been reassigned you could ring the person, explain the situation and get them to forward you the code. (Also a way to crack other people's accounts!).

I wonder if phone companies couldn't [partially] solve this; probably any system would be too open to abuse?

That happened to me once. I declined to provide the code. Might have been legit but seemed too big a risk of getting my phone number tied to something scammy or even criminal.

Send a GPDR removal request?

> it is almost impossible to find an actual human from Facebook to solve this kind of verification problem.

I have come to realize that if you do not deal with a real person when signing up for some service, you will never get to deal with a real person when you need one. Customer service doesn't exist at FB, Google, etc. because they aren't customer oriented companies. They were not created to service you, they were created to use you.

I do wonder how EU's "right to be forgotten" comes into the play here. Could it be used in your case?

First, to my knowledge, there are two alternative ways to recover my account within the Facebook system.

1. Correctly identify some personal information about your Facebook friends, or ask them to provide some information about you. However, I have abandoned my account for years, and clearly I no longer have personal contact with most of them.

2. Provide your National-ID document to Facebook. Obviously, I'm not comfortable with it, but I assume my identity is already public information on Facebook so I may have to do it. Unfortunately, the bigger problem is that, personally, I'm in the middle of some tricky paperwork problem with the government bureaucracy, just like my Facebook account. I may need to go to the court to sort it out, but currently I don't have time to bother.

"Right to be forgotten" and GDPR seems to be a powerful tool to solve these kind of problems, but I'm not a EU citizen and I don't know much about its regulations, but I also want to know about it. Does anyone know something about it? Assuming I'm a EU citizen, how exactly, can I submit a request of information removal? If it's similar to DMCA takedowns, perhaps it can be used? Or it need a rigorous legal proof of identity like (2)? For non-EU citizens, is there a similar outlet to solve these kinds of problems?

Eu's GDPR defines several rights and obligations, one of which is :

Personal data shall be [...] accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

OP could contact Facebook's Data Protection Officer, that they are required to have, and demand that his data is fixed. A complaint can also be filed to the relevant country's Data Protection Authority if needed (I've done it with some success).

But how will he verify that he actually is the person who owns the account?

Well, in this case, he still owns the email so it should work.

Since you know the number, have you considered reaching out to its current owner to coordinate passing off the code?

That’s actually a pretty popular phishing method currently.

Good idea! I'll try. Thanks! The number may or may not be recycled, in case it's not recycled, it would simply be a NULL number. Wish me luck...

If its not recycled, perhaps you can find the company that has it ... "my lucky number is 441 743, any chance i can get a number that ends like that?". I guess it depends how much time/money you want to spend.

An old eBay account of mine is in the same zombie state because it's wanting to use an old phone number that I no longer control to "verify" me.

Currently facing the same problem with apple and icloud, their customer support is being excruciating about it

too big to be polite

The matter is more simple, Facebook users are not Facebook customers, hence no customer support. Same story with free Google accounts.


* "A mobile phone knows its phone number." The phone cannot know its own phone number without making a call or sending a text message. Some SIM cards carry an "own phone number" record but it is not authoritative and sometimes inaccurate.

* "A SIM card is permanently assigned to a phone number." SIM cards to phone number relationship can be many:many and change over time.

* "<Social app X> requires phone number to sign up, so we should too." Users actually react very differently when a messaging app asks for their phone number (useful to find contacts) vs a calculator app or a game or an app where they want to be anonymous.

Flying Spaghetti Monster I hate that this is real:

> Only mobile phones can receive text messages

> Some service providers support sending and receiving text messages to fixed-line numbers. There are also online services like Skype that can send and receive text messages.

"Oh but not-mobile-number phone numbers are always fraudulent so we don't accept them!" Great, I love getting caught in spam traps because I have a mobile phone...but it is a VoIP-backed system so the numbers show up as VoIP. (BTW, Verizon's "My Numbers" feature also show up as VoIP numbers, not mobile.)

Even more annoying: "Oh, but a bunch of people we know who are also technology professionals happen to use Google Voice / Google Fi so we'll just whitelist them." Grrr. So now I have to care what my "mobile" provider uses for its underlying network or just use Google.

And the last one: My credit union just sent out a terms of service update saying I "cannot use Google Voice, VoIP, or similar numbers with Zelle." OK, but I already have a number like that registered, what now? "Your Zelle access is suspended until you give us your mobile number." But that is my mobile number. "Too bad."

It's worth noting that a CLEC (or other provider) can, in fact, denote a non-mobile number (or block of numbers) as "mobile" so that it can do things like receive text verifications from short codes (like your bank, or gmail, uses).

This is expensive and time-consuming, however, and almost no CLEC (or other such provider) will do it - you have to petition and register your number(s) with every single mobile provider and get them to accept that these are not sources of spam, etc.

I have this problem because my main, personal number is actually a twilio number (as I built my own personal telco within twilio) and this means I cannot receive validation messages from shortcodes (like a bank). I spoke to some twilio engineers at Signal and they confirmed that it would indeed be possible to register twilio numbers as "mobile" but too expensive ...

> I have this problem because my main, personal number is actually a twilio number (as I built my own personal telco within twilio) and this means I cannot receive validation messages from shortcodes (like a bank)

Why does Twilio work for me for SMS 2FA? Is it because I m using an '07' number in the UK?


It's possible that your 2FA SMS messages are being sent to you FROM a normal phone number and not a shortcode ...

The problem is not that I can't do 2FA - that's just SMS messaging. The problem is, I can't receive messages from a shortcode, which is different than a normal phone number.

I would, from personal experience, construct a quite different list. Some of mine would be:

* Every other country's telephone numbering is like one's own.

* Every other country's telephone numbering is like that of EU countries, or like the NANP.

* The last 10 digits are the subscriber number.

* Geographic numbers are actually geographic.

* 123456789 is a perfectly fine number to use for test calls.

* STD is exactly like NPA-NXX.

* The leading 1- in NANP long distance form is the country code.

* There are only national and international forms nowadays.

* Users do not use E.164 themselves.

* Emergency numbers are easy to filter out, as it's only one number.

There are also falsehoods that people believe about telephones, which I would start with:

* When you hear the ringing tone, the other end is already ringing.

* Your ringing tone comes from the other end.

* Every network sends in-band call progress tones.

* It's perfectly fine to use fax over a G.729 'phone.

* DTMF is in-band and universally supported.

* DTMF is out of band and synchronous to media.

* There is only one way that callees reject calls, and it never involves being connected.

* TPC does not need to know the correct physical location of your non-mobile 'phone.

* TPC tracks mobile 'phones through "a GPS chip".

* Calls can only be traced whilst the caller is on the line.

* Caller-ID is unspoofable and works across networks and across countries.

* The callee can always clear calls.

* Only the caller can clear a call.

> * The callee can always clear calls

In the 1980s at school, the phone system in the dorms was a private system (you could connect to the public system by dialing 9 first). In this system, a call was not terminated until the originating side disconnected. So a common prank was to call someone, then not hang up. Now their phone was unusable.

> Calls can only be traced whilst the caller is on the line.

You just punched a hole in the plot of every procedural crime drama. :)

You can add "Calls take a non-trivial amount of time (i.e 60 seconds) to trace" to that list. It's immediate.

> An individual has a phone number

> Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try and provide a fallback to accommodate these users.

Signal, WhatsApp and Telegram are spectacular design failures on this point because they assume that every person has a phone number and also that every person has their own private (non-shared) and unique phone number. Facebook, Google, etc., require a phone number for verification and believe that it’s sufficiently adequate to thwart spammers.

The whole “must enter a phone number” phenomenon is a big mess, introduces privacy issues and excludes many people. None of the companies mentioned above would agree that excluding people is a goal for them, but they’ve made it so.

What pisses me off to no end is the local (very popular) app Vipps for sending other people cash, e.g. to split a bill or buy something at a garage sale or whatever. Not only does it use phone numbers to identify the people you send money to, but it explicitly disallows two people with different phone numbers to have a shared bank account. Husband and wife with common debit account? Sorry, unsupported. WTF? What happens if someone switches bank (and thus account number) or phone number? Who knows, maybe you sent money to a stranger. This app is made by the banks.

I don’t think bank account numbers are re-used. So in that case the transaction would just fail. And no one changes phone number in Norway. With a few exceptions of course.

Ah, but it's precisely this types of assumptions/disregard of "just a few exceptions" that we as programmers should avoid, as per TFA.

> Signal

As I understand it, Signal is always intended to be the "StartTLS" of telephone communication, so naturally it explicitly targets mobile phone users. I only use Signal to call or text someone I would otherwise call directly.

But I agree with your general opinion. For most services I found it's ridiculous to be hardlinked to my phone number. Why on Earth you have to expose your phone number to some random people you chat with on the Internet?! Telegram... at least they accept VoIP numbers...

I use other non-phone, general-purpose services, such as Matrix, to communicate with other people.

> Signal is always intended to be the "StartTLS" of telephone communication, so naturally it explicitly targets mobile phone users.

This doesn't make sense to me. If I have telephone service and the person I want to talk to also has telephone service, why do I want to use Signal to communicate from my telephone device to their telephone device? Aha! Because I want to communicate privately and the telephone service does not allow me to communicate privately. So why do I have telephone service? To allow me to use the service that doesn't use the telephone service?

This always struck me as a particularly poor argument. While it is true that most people have data services through their telephone provider, why do we want to encourage this behaviour. I mean, I could even understand implementing it initially out of convenience, but it's been years and they still haven't provided a means for authenticating with the service without using a means that will publicly identify you. As much as I wish to believe otherwise, I do not think this is unintentional :-( And if it's not unintentional, I'd really like to understand the reason.

> I mean, I could even understand implementing it initially out of convenience, but it's been years and they still haven't provided a means for authenticating with the service without using a means that will publicly identify you. As much as I wish to believe otherwise, I do not think this is unintentional :-( And if it's not unintentional, I'd really like to understand the reason.

That’s precisely what bugs me about these platforms. They all want to create the “social graph” based on phone numbers without giving the option to the user on how they want to expose themselves and how they want to construct their social graph.

You have a good point.

I agree fully. I've no clue why phone numbers a prerequisite for most email account providers or anything else I have to sign up for. There is no quicker way to make me bail on a signup flow that to demand something that has nothing to do with what I'm using. I barely use my phone as it is, so I'm excited to see what the world will look like for me when I finally eschew it!

Many services need a process that makes it hard for spammers to create a large number of accounts. If getting that costs a small number of real customers who can't use your service, oh well, the need to fight spammers is objectively more important to them as long as there aren't too many real customers with such problems.

Requiring phone numbers is a system that works quite reasonable, as most people have a phone number, and it's not that easy (and certainly not free) for a spammer to get thousands of phone numbers to make thousands of fake identities.

Phone number is probably endured without thought by most people, it then makes their database hugely more valuable; matching phone numbers and email addresses must be a key link for profile matching for advertisers/law enforcement/government.

>Signal, WhatsApp and Telegram are spectacular design failures on this point because they assume that every person has a phone number and also that every person has their own private (non-shared) and unique phone number.

No, most people have a phone number and for most people that's their own phone number. That was a tradeoff for them.

>Facebook, Google, etc., require a phone number for verification and believe that it’s sufficiently adequate to thwart spammers.

I am sure that it is one of the most effective ways to thwart spammers, but to say that it's all they do is laughable. What's an alternative, email address? Throwaway emails are a dime a dozen.

>None of the companies mentioned above would agree that excluding people is a goal for them, but they’ve made it so.

They've made excluding people a goal? Are you serious?

> No, most people have a phone number and for most people that's their own phone number. That was a tradeoff for them.

That’s a very first world observation, and even there, this would be quite shaky if actual numbers were known.

Also, I didn’t say or intend to mean that these companies made excluding people a goal. Their decisions, on the contrary, have resulted in that.

I'd argue that it's a reasonable tradeoff if you consider the users vs customers distinction. Many (most?) services want more users because they're either going to pay money directly or they are good targets for advertising. A first world user is valuable, a third world user - not so much (literally - if you look at costs for clickthroughs or user acquisition or ad revenue per user, there's easily a hundredfold difference). People who are poor enough to not have a phone of their own are probably not going to bring you much revenue, so it's no big deal if they can't access your service. I mean, a company isn't building that service to serve users, it's building that service only to earn money from these users.

> In Argentina, to dial a mobile number domestically, the digits "15" need to be inserted after the area code but before the local number, and the "9" after the country code (54) needs to be removed. This transforms +54 9 2982 123456 into 02982 15 123456.

I used to work in telco, so I've seen some pretty wacky format formatting schemes, but this takes the cake. Who thought this was a good idea!?

For a copious list of falsehoods you or other programmers might believe, see also: https://github.com/kdeldycke/awesome-falsehood

What a great link! Thanks!

Note: USA-specific

Not even 20 years ago, before any number could be ported to mobiles, landlines in some (all?) Baby Bell regions had their prefix determined by geography. In other words, you could know what "zone" a given phone number was in by its prefix.

Take Silicon Valley. A (650) 960-xxxx number meant Mountain View. (408) 733-xxxx meant Sunnyvale. Etc.

Zones roughly respected cities, but boundary conditions abounded. If you lived near the Mountain View / Sunnyvale border, you could be in area code 415 (later 650) or 408.

San Jose had 3 zones. Cupertino was part of SJ1. Fremont / Newark were lumped and spanned 2 zones. Milpitas was part of SJ2. etc.

You were only guaranteed a local (non-toll) calling area of something like 8 miles, but Pac Bell would give you all of the zone overlap: if any part of your zone was within that 8 (?) miles of any part of your destination zone, it was a local (free) call. This meant your actual local range could extend 20+ miles.

I set up PC-based call broadcast systems (the vendor product I used was "BigmOth" for some membership organizations such that I could send a recorded message to whatever numbers in a given member roster. By placing two parallel systems in, say, Sunnyvale and SJ3, I could cover everywhere from Menlo Park to Los Gatos to Coyote to Fremont Newark zone 1 with no variable phone costs.

So, I set up a table in my database to join prefixes to zones, and my program went through the contacts and routed each destination number to the appropriate calling phone book (I rewrote the phone books after every batch of database updates). I had one system in my house, and a colleague had one in his in SJ3. I'd just uploaded his share of the phonebooks and the message recording binary to his ftp site, leaving him maybe 10 minutes of work for each cycle's setup.

Thus, I could blast 2-minute messages to members over a 200+ square mile area for free.

It was really slick. 10 years later, it was irrelevant, as everywhere became a free call.

Early BBS networks used to do this, too.

Around 1984 the ARB (named for its author, Arthur Richard Brock, R.I.P.) BBS system did store-and-forward e-mail from one ARB BBS to the next, covering a good portion of the New England and Mid-Atlantic states.

Back then toll charges were pretty high, but there were gateway nodes that had phone numbers which had free calling that spanned area codes and LATAs.

ARBnet was pretty awesome, ran on Commodore 64's, and was a pioneer in public e-mail, but is now completely forgotten.

Do you know of the latest ARB version ever released? When did Arthur die? I had no idea that he did :( The last ARB version that I saw was 7.60 but it did not have PETSCII Color Graphics yet at that version.

I find the prefixes are a fascinating bit of US telco history. Many of the exchanges had Names for decades. There's a very interesting back and forth between city geography and these exchange names, both in that a lot of actual location names got embedded into them. I've often sometimes wondered too how often that 1950s-era suburbs picked names simply because they fit the exchange name. I feel like that was an underdocumented homogenization force in American suburb names.


Sweet hack. :)


Tom Scott recently did a good piece on a section of Denmark that constantly shifts timezones: https://www.youtube.com/watch?v=yRz-Dl60Lfc

In general, the Earth is a really lousy clock.

"Phone numbers are numbers" - I've come this multiple times integrating phone numbers into a product.

Currently I just store phone numbers in E.164 format as a string with max length of 25 just to be safe and index them. This really takes up no additional space and can easily handle extensions.

I can't tell you how many times I've run into people storing phone numbers without normalization eg: "(555) 444 - 3333" etc., not understanding that's hard to compare against, where E.164 = "+15554443333" is much more consistent and also works with services like twilio etc.

I assume why they store them as entered is because it's hard to convert them between formats. In North America you format the number that way, but other countries do it differently. Maybe the phone number is a local number (without area code) or maybe it has an extension?

If you are just storing the phone number to display to a user at a later time, it is a lot simpler just to save it as text field with no validation.

>Currently I just store phone numbers in E.164 format as a string

As someone who created many texting apps (HeyWire, Salesforce's LiveMessage Product) this is how all numbers are treated internally...except short codes, which aren't phone numbers.

Programmers don't actually believe in such falsehoods, nor do they just decide to be lazy about implementation. In fact if anything programmers are generally more aware of such things. A better name for these lists would be "falsehoods businesses insist on despite their engineers warnings".


I mean, every programmer I know considers stuff like this to be very interesting trivia to learn and apply. But even if you know this stuff, putting the knowledge to use often involves a series of battles against your PMs and managers and maybe even customers, who either don't know it, have their own vision, or just follow what everyone else does.

(Getting a product to work correctly is as much an exercise of diplomacy and ego management as it is a matter of technical skills.)

I remember a discussion on the Linux kernel list years ago - and I believe Linus himself at one point insisted that names with less than three characters shouldn't be accepted, as they must surely be invalid. I pointed out that when I was a student there was another student with a full name consisting of just a single letter. No first name, no last name, just that letter. And the best thing - the student loans bank's system actually handled that. A couple of times each semester there would be wide fanfold prints on the billboard wall, with each student's name and information about each student's loan application. They apparently had no issues with his single-letter name, which means that the governmental name registration system didn't either. Even though he was a foreigner, and I've never heard about any native person with just a single name (not to mention just a single letter).

"MySQL ... Its name is a combination of "My", the name of co-founder Michael Widenius's daughter..."

I've also met a few "Jo"s in my time.


There are several of those I didn’t know, and wouldn’t likely have discovered them all even with research.

I would personally add one (maybe I'll do a PR): Phone number formats never change for a particular country.

Vietnam just removed a few months ago one digit of all the mobile phones making all the previous number recorded for the country invalid.

+1 from India.

There's popular app in Bangalore that you can use to rent bicycles. I can't use it because my phone number (which has a relatively newly released starting digit series) doesn't pass their signup validation.

So frustrating.

It's frustrating indeed.

Related: email validation that doesn’t allow for + in usernames or any of the newfangled hipster fad TLDs.

So much this. Iran's phone number formats have changed at least 4 times in the past 20 years, and I am sure many more times if you go back a couple more decades.

Also "each country has a single format".

Belgium uses 9 digits (leading 0 included) for landlines and 10 digits (leading 0 included) for cell phones.

Yup. Another example: Poland dropped a "0" prefix from area codes for landlines some ten years ago.

Hah! I used to do a lot of telco work. This led me to basically assume nothing about phone numbers.

What got me, was that people working at the telco used to give us requirements that clearly indicated that the telco people entertained a lot of falsehoods about phone numbers too!

"Users will only store phone numbers in your product's phone number fields"

Not entirely sure what this point is trying to achieve. Do you read a birthday field expecting a phone number 99% of the time? Should you read a phone number field expecting an email address? And at what point in that process did you decide that not having data validation on both ends was a good idea?

So since I got a phone I have always used it as my address book (yeah, I export and back it up). In the early days Android was pretty nice. You can enter all sorts of things in there; multiple addresses, numbers, company information, birthdays of friends or other important dates etc..

But latterly, Android just won't do birthday dates. Oh sure, the dates are still in there and get exported from the database but there is no way to enter the information or look at it on the phone (I use BirthdayAdapter from F-Droid which causes a reminder on the day)

I expect that some people just put the birthday of their friend in a phone number field. In fact I'm pretty sure that millions of people just use random fields for their own purposes full stop, they just don't care about any of that.

So the article is saying that it is their phone, don't try to control them. If information is in the field and you can't parse it? You store it and export it as received but otherwise ignore it..

If you’re making an address book app, don’t expect people to put what you expect in the fields you give them just because you label the fields a particular way.

Interesting that Germany breaks the ITU limit of 15 - Germany is the last country I would have thought of to break ITU specs.

Every time I see one of these lists, I think of this list: https://github.com/kdeldycke/awesome-falsehood

It's a general list of "Falsehoods Programmers Believe About . . ." lists. Names also come up fairly often on HN.

IF the description of the falsehood includes the line "Obviously, this isn't necessarily true." I am going to go out on a limb and suggest that programmers don't really believe it - at any rate I would like documentation of programmers believing that people have only one phone number. ¨´

"falsehoods programmers believe about X" is shorthand for "assumptions about X that some programmers have not examined prior to deployment in production code".

Any system that has an input with a single "telephone number" field that is both required and cannot accept multiple entries fits this pattern.

Think of it as a list of antipatterns to be avoided. Some of them were deployed intentionally, and others pop up because a programmer took the spec they were handed and implemented it without thinking about it -- or they did think about it and their attempt to fix it was overruled.

"Falsehoods Programmers Believe" Titles Considered Harmful

The unreasonable effectiveness of considering falsehoods programmers believe harmful.

Repeat after me: After reading this I realise the difficulty in using phone verification while scaling internationally.

Not just internationally.

The last time I was in northern New Jersey, Warwick Valley Telephone Company still supported five digit dialing across area codes!

People could dial 4nnnn to be connected to 973-764-nnnn (a New Jersey area code). They could also dial 6nnnn to be connected to 845-986-nnnn (a New York area code). There were about 15 different short codes across two area codes.

There are a lot of these little regional telephone quirks across America, and I think every one of them is awesome.

Between 2004 and 2007, Zurich (Switzerland) also switched dialing prefixes such that multiple phone numbers in fact referred to the same extension [0].

[0] Wikipedia unfortunately has the description only in German: https://de.wikipedia.org/wiki/Ehemalige_Telefonvorwahl_(Schw...

Kleinwalsertag. Austrian territory, but only reachable (by road) through germany. Was connected to german phone network, which changed once telco stuff got smart enough. Effect: For some time a german and an austrian phone number reached the same phone.

Here’s my addition:

Phone numbers are of the same length within a country. In Austria phone numbers vary in length, and the trailing numbers can also can be used be PBXs.

A few of these were new to me. I think people who come to phone numbers before Internet knew about the ITU decision to adopt a semi-efficient distribution by size model, so the numbers +x[y[z]] were given out for volume, not order-of-application. +1 was 'North America' Not the USA in this model.

the +88 and Taiwan is an interesting situation. The phone companies agree to do efficient routing to the TW IDD but China refuses to formally recognize it in the ITU. So, its routed optimally, even if the prefix routing should honour Chinese (mainland) intent according to the model (thats how I have heard it. I don't know how accurate this is)

Telefonica runs several mobile operations in LatAM and I am told that numbers can be somewhat mobile (sorry) across borders.

I also know of AT&T subscribers who are domiciled in Canada and who are flouting some rules to get the phone roaming behaviours they want.

> googlei18n

> Some people do not wish to provide you with their telephone number when asked

Well, you don't say!

Next in the series, “Falsehoods programmers believe about 2fa, or: just use HOTP/TOTP, dammit.”

A challenge - try to register a Google account without providing personal information.

> A challenge - try to register a Google account without providing personal information.

I got my first Google (at that time just "gmail") account back when you couldn't just register freely - you needed an "invite" from somebody who already had an account. At that time you didn't need to register any personal information. I did add a couple more accounts, mainly to keep high-volume mailing list registrations, and I still have one of those where there's still not any phone number registered.

Now it's different, I guess. And not in a better way.

Heck, last time I tried to register a Twitter account I couldn’t do so without a phone number to receive a PIN, and a burner number wouldn’t do it. C’est la guerre.

I can answer my original question - Google has been actively blacklisting all forms of VoIP numbers to their best efforts, so it's almost impossible to register one account without putting in your personal information.

The last time I've checked it, there's only one workaround - you can purchase a real phone number connected to a computer from a cryptocurrency freelancer developer...

Many stories from the U.S media are condemning that the requirements of personal information online by authoritarian governments are threatening free speech, etc, meanwhile, in the U.S, big companies have done this voluntarily, and you need to be a hacker to register a Google account without personal information, it's just ridiculous.

"you can purchase a real phone number connected to a computer from a cryptocurrency freelancer developer..."

Where do I start looking for such a person? I very much dislike the privacy aspect of the whole phonenumber game and also the environmental impact of burner use.

His name is James Stanley. His personal blog is https://incoherency.co.uk/blog/, and it has many good articles about privacy and cryptography applications, such as Tor and IPFS, some has made to the HN homepage. You can obtain such an anonymous physical phone number from his personal service, https://smsprivacy.org/, by paying 0.003 Bitcoin, at the current market price, about ~12-15 USD, per day. Such a high cost can be justified by very nature of a physical phone number.

But I have to say that It's not a complete solution, it has its own limitations. Once a phone number expires, it just expires, and I don't think you can get your previous number back retroactively... So it can only be used as a workaround for verification code to register your account. If the service decides to issue a SMS challenge to you in the future, you'll have my Facebook problem, as I mentioned in the comment section.

Perhaps I can write to him to see whether he can implement a solution for this problem.

I don't personally know him, I'm just a reader in the field of security and privacy, and he happens to have a nice blog and an interesting service.

> I very much dislike the privacy aspect of the whole phonenumber game and also the environmental impact of burner use.

Then, you should also care about the environmental impact of cryptocurrency, Proof-of-work literally works by burning the energy, and in order the secure the network, it must burn as much energy as currently available for general computing.

I personally don't have problem with it, as I think a global consensus mechanism is genuinely expensive, and merely using it does not directly contribute to its energy use, but I acknowledge that criticisms based on the environmental ground has a strong and valid point. Perhaps for you, using a burner phone is still a better option for your philosophy?

Meanwhile, looking forword to GNU/Taler, an PayPal-like anonymous payment system, which is not a currency, so it doesn't need to burn energy.


Is it hard to just buy a phone number? I can buy a prepaid SIM card for something like 1.5 eur and put it in a burner phone from a pawn shop for 5 eur, and I'd have a legitimate anonymous phone number that'll work for some time.

TOTP is rather vulnerable to phishing. U2F is the current gold standard, although impossible to use on iOS, sadly.

A lot of people have horror stories about what happens when they lose their phone number, etc. Concern can be extended to email address. I agree that it's a valid concern, there needs to be a better way to handle this. I am surprised that this happens with this crowd though. I would figure this crowd would update all their relevant stuff when their information changes. I normally do. But I know that definitely this would still be a problem for ordinary laypeople, so I'm not trying to blame the victim, and so I'm not sure what my point is. I guess this is just not an easy problem. I imagine identity theft would be rampant if the processes and requirements were more relaxed. I don't know what the solution is. :(

I think this all lumps into nobody really knowing everything about phone numbers, email addresses, and time

The biggest widely believed programmer falsehood I run into in practice: that they are ten digits and always start with +1. It’s right up there with “all users have a US ZIP code”.

Well I'm in the UK so my zip is 90210. :0p

If you are in the UK, you have a postcode, not a ZIP (which refers specifically to the Zone Improvement Plan, a project undertaken by the United States Postal Service).


"It wasn't even that long ago that mobile phones didn't exist, and it was common for an entire household to share one fixed-line telephone number."

And not long before that, it was common for several homes to share one fixed-line telephone number.


Brazil has changed the rules around the requirement to specify an operator for domestic long distance calls several years ago: https://gizmodo.uol.com.br/anatel-aprova-ligacoes-de-longa-d... (link in Portuguese)

"Every phone number has an area code."

Is the falsehood of the above statement sufficiently evident? I don't see it listed explicitly. In Hong Kong, for example, phone numbers are just 8 digits (+852 1234 5678). Some websites/apps insist on an area code, forcing one to arbitrarily split the number.

Oh.. and about 25 years ago, phone number length was set to 10 digital. All numbers changed.

> phones in […] Kosovo may be reached by dialing the country calling code for Serbia (+381), Slovenia (+386), or Monaco (+377)

That can't be right. When will Americans learn basic 4th school year geography?

Geography and dialling codes aren’t necessarily aligned. So none of those countries share a border - it doesn’t mean there was never a weird issue with international dialling codes at some point (and, after I did a bit of searching, it seems that there was)

> none of those countries share a border

Precisely. That should give the reader pause to think that there's something wrong.

You're missing that the author mixed up Monaco with Montenegro (Kosovo's neighbour) because they sound similar. That's the perennial Austria/Australia confusion writ small.

There's no mixup.

Kosovo has numbers that are reachable through Monaco (not Kosovo's neighbour) country code.

Kosovo does not have numbers that are reachable through Montenegro (Kosovo's neighbour) country code.

I’m not missing anything. It sounded unusual, so I looked it up before posting :-D

Do you have a source for that?

Considering the US has states that are larger than those countries, can 4th year students from those countries fill in a map of all the US states?

>1. An individual has a phone number

Requiring a phone number one way for me to ignore your website or service (ie, Signal) forever. But if you do it I'm probably not your target demographic anyway.

Requiring a phone number still reduces fraud a lot.

It also enables it. All while being an ugly friction point for many users.

I see a lot of hate for companies using phone for verification the real hate should be directed towards att, Verizon because they are double handedly setting the entire world back. If a phone doesn't do what they want- they wont sell it and it will lose a lucrative market.

Phone numbers as they are today should be dead. The world is connected using internet and there should. Be a new standard for "call identity" which should be cross region.

On a tangent, how do people who use services like Google Voice deal with their VoIP numbers being rejected for verification by many sites?

Adding to the list:

Some people want to put phone numbers in their address books but never ever want to call that person. An example would be to get a name from a number only caller ID so you know not to answer that call.

A flag beside the number to indicate no outbound calls would be helpful. (separate flag for no inbound calls)

I'll add a few other falsehoods:

* a SIM card holds only one phone number.

* if a SIM card holds multiple phone numbers, they are from the same country.

> An individual has only one phone number

Always feel these lists include things no human actually believes.

It’s not that people believe this - it’s just that they don’t think things through when building something. This point was mention because there are plenty of CRM/contact-management systems that only have a single phone number field per contact. Or worse: Outlook, which is expressly marketed as a contact management tool, with its arbitrary restriction of 3 phone numbers and 3 e-mail addresses per contact - or how all contacts have to have first and last names (how do I have a “company” contact? Etc). Point is, don’t be like Outlook.

I think it's hyperbole for "things you should be careful about". Obviously nobody really believes every human on the planet has a phone number, or only one, or that there don't exist people who share phone numbers... or pretty much every other item in this list :P

I think it was a riff on the "falsehoods programmers believe about names" article, which is a bit more insightful.

>> An individual has only one phone number

> Always feel these lists include things no human actually believes.

Well, somebody believes that. I can register my phone number with the local postal system, and, as shippers add a phone number to shipments, I can search for shipments to me by logging in to my post company account on the net, or via the Android app. The problem? I can only register a single phone number. But I have two numbers, and, for various reasons, different shippers must sometimes use one or the other, and not the same number. But I can't register more than one, and I can't register two accounts - b/c they also need my social security number, which is unique. So I can only track a subset of shipments to me. All because somebody there (it's their own software) made the assumption that an individual can only have, or at least use, a single phone number. I did report this as a bug, with no understanding.

Programmers make stupid assumptions all the time... usually because they are focused on some other more difficult problem and they assume some other problem like this is easy and they don't have to think much abt it, so they don't.

I guess I'm just cynical, but I always thought it is the companies who want your phone number for information gathering/ads/etc and not the programmers making this choice

Here's a good one: All phone numbers can be reached using tone dialing. (I know of at least one phone number to which one can connect only using pulse dialing.)

How is that even possible?

The origins of telecommunications automation. https://en.wikipedia.org/wiki/Pulse_dialing

So basically phone numbers are one or more alphanumeric fields.

You can put symbols in phone numbers.

So basically phone numbers are one or more text fields.

Yup. And unless your product is a PBX, a phone number should be an opaque blob to you.

Just looking at a real telephone immediately disabuses one of the idea that they are numeric or even alphanumeric.

Go look at the keypad of a POTS touch-tone telephone. You'll see 10 digits and 2 non-numeric non-alphabetic symbols.

In fact, there are at least 16 possible characters at the signalling level, considering just DTMF alone, and not counting punctuation added at the human-readable level like hyphens, spaces, dots, and brackets. Then there's SIP. (-:

Alright, guess I'll be using email verification

As long as you don't try to validate the email address I entered. The list of gotchas for email address parsing is impressive too. (e.g. "Cool Address"@example.store is a valid email)

You should validate any email addresses, just keep in mind that proper validation requires you to attempt to send an email to it and check if the user received it.

These might be valid but nobody uses them and nobody will complain if you do not support them.

Not sure why this is getting downvoted. It's a valid point. There is a gap between "technically valid email addresses" and "email addresses that reasonable people use".

Not that I downvoted, but the attitude annoys me. As a developer you have two options:

1) Do nothing and support all valid addresses (that your mail system can handle)

2) Spend development time to make your system not support all valid addresses.

Why do you spend development effort to make your software worse?

3) Realize that undervalidation of input can create opportunities to introduce backdoors into your system.

4) Realize that the added benefit of supporting weird formats are not worth the time to verify that it actually works.

As someone who works on an email client, I can absolutely tell you that using IP address literals and quoted localparts are more trouble than its worth. Chances are, the libraries you use can't handle them anyways. And if you don't try to support quoted localparts, than normalization is a lot easier. (Although I was once locked out of a system because I signed up with an email address that used capitals and the login form changed to lowercase it without changing the database storage, which meant no form I could spell it would cause it to match).

OK, try to get my email system to accept yourname@3com.com

Hint: I believe domain names cannot begin with digits.

The original DNS specification said that could not be done, but it is legal as of RFC 1123.

Why is this downvoted? Because it violates Postel's law, one of the cornerstones of the technology running the internet:

"Be conservative in what you do, be liberal in what you accept from others"

> be liberal in what you accept from others

This is a recipe for disaster and code bloat. I met in the past a vulnerability that some irc clients had due to that principle.

It depends. There are plenty of harmless examples like removing leading/trailing whitespace when entering a name. Ignoring whitespace, dashes etc. when entering a code, etc.

A bit of extra effort by the developers saves a lot of people a lot of time.

The extreme cases are very rare, but even resonable addresses are rejected regularly.

I have had various email addresses of me rejected because

- of an unusual tld (whatever@somewhere.tech)

- it was an email of a subdomain (whatever@some.where.com)

- it had a two letter username (me@somewhere.com)

It's very rare that you get to confront the bane of your online existence, but here we both are.

But, you know, I have seen one or two such email addresses. So somebody do use them.


Cool, I have a bulletproof regex for that


... I hope

As long as you do not limit the email to certain popular providers then it is a good solution.

Is there a library for addresses? These are even more complicated...

Addresses have been covered a few times here, try a site search (down in the footer), some of those convos are interesting.

Interesting how nobody here is complaining about Apple forcing all developers to switch to 2FA this month.

They sell it as "more secure" and I read it as "higher chance to get locked out".

Dont use SMS 2fa, use TOTP.

Doesn't seem to be supported:


A few years ago I discovered that if you have a phone number and an email address in a contact in your iPhone, iMessage looks for other accounts using the email address FIRST -- even though its ostensibly replacing SMS, which of course is phone number based.

I found this out because someone accidentally put my email address in a contact (see: https://xkcd.com/1279/) and then texted me to call out sick. After multiple attempts to explain that I was not actually her boss, she accused me of stealing the phone number.

That was a fun day.

I find this category of posts ("falsehoods programmers believe about X") to be patronizing and unhelpful. Most of these lists (this one included) don't give good explanations and don't have guidelines for how to avoid the problems that are highlighted. It's usually just a list of condescending gotchas.

I find these helpful when my team is designing a feature that intersects with this kind of "gotcha" area, and it sets off warnings in my mind, "I know there's something tricky about this business requirement but I can't put my finger on it...", these type of lists at least help me identify particular pitfalls, even if they don't provide solutions, so I can provide specific and scoped concerns to push back on or clarify the business requirements.

Some people just also really find these fun to think about.

Yup! There are lots of things like this, where I don’t have the list memorized, but I remember that there is a non-trivial, non-obvious list of considerations to take into account when doing a certain thing in a non-fragile (and non-discriminatory) way.

A list of these lists might be useful.

I think you're being a bit harsh in this case.

I don't think many of these have a useful explanation that would stay within the useful scope of a list like this. Knowing the local implementation details of Argentina dialing requirements, and why the 9 needs to be dropped, most likely involves long-gone phone carries, organic implementations, and local politics.

Expecting guidelines for most all of these is not realistic since many are just "how it is". For most, the guideline is an obvious "don't do/expect this". If your list is mostly comprised of unexpected behavior, then "falsehoods x believe" is probably ok.

As for avoiding the problem, you can't always avoid reality; sometimes you have to accommodate its weirdness, especially when dealing with > 100 year old systems with massive interoperability problems.

Really? While I personally don't need to work with phone numbers for my job, I found this list to be incredibly interesting. For many, this type of knowledge is often attained by making incorrect assumptions in your code/system design and having them proven wrong over time. Having a list like this which lays it all out for you in one shot is amazing.

Isnt every language unique?

I feel like this teaches a way of thinking.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact