There are other oddities: The author complains about the security of SMS verification, but then goes on to complain that even more incredibly insecure workarounds don't work. And then the author attempts to be in some sort of position of authority about the reliability and other aspects of the network and carriers, while fully admitting that they don't even have a phone number or smart phone.
There are certainly valid complaints around SMS verification, networks, and carriers, but this article seems out of touch.
If you provide me with a phone number +12121234567, and I send you a unique code via SMS / voice call, and you provide the code back, and I haven't had anyone else register with that phone number, I can conclude with some limited degree of confidence that:
1) You are a human.
2) You are in the United States present, or usually are.
3) You have money and an address and are capable of buying things (after all, you have apparently succeeded in buying a phone and maintaining an account).
4) There's some prospect you could become a customer, or a vendor, and we could do business.
If you give me an email address email@example.com, I have none of those assurances, and it's entirely likely that you are not a human, or are a human overseas who is in the business of scamming people.
Sure, someone can get access to phone numbers anonymously, from overseas, or to scam people, but it's enough of a minor hassle (for all the reasons listed in the post) that they tend not to.
It's like if someone walks into your shop/restaurant in a disheveled state, unshaven, and with body odor, versus in a suit and tie and recently shaven and aftershave. The latter is rather more likely to be someone you'll want to do business with, even though there's always the feint possibility that the former is actually a billionaire playing an elaborate trick on you.
It easy to imagine an improvement on phone numbers for providing this limited level of identity verification, but email addresses aren't it.
Wow, "entirely likely" — what do you base that estimation on?
Your analogy to a walk-in is completely on point too: surely only people in "disheveled state, unshaven, and with body odor" would sport an email address and think that's a good representation of their identity on the internet.
I've conducted business with a bunch of US companies, sometimes shipping to mail forwarding companies based in US to forward stuff home (eg. that's how I got my last few $2-3k laptops). Businesses that build in some silly protections like the phone number in do not get my business.
For us who've been using the internet long enough, phone number is a weird requirement: Google and eBay keep asking me to confirm my number upon login for 15 year old accounts (with eBay there's even no recourse on the page, but you do get logged in, so you can just reload the page you wanted and the screen is gone).
More people have telephones where they can be reached than email addresses.
More people have telephones where than can be reached than mailing addresses.
Yes, delivering SMS globally is a shit-show, voice calls is better but also filled with terribleness, but so is everything else.
Wow, I’ve never really thought about this. Any idea where I’d go to get (I assume very rough) numbers on people with addresses vs. phone numbers?
Rural postal service gets pretty iffy in the US, and in countries with less resources, you might only get mail service in big cities.
I would imagine that postal services work decently well even in the poorest of countries and only war-thorn areas are less accessible by post.
I am not talking of next-business-day services, of course, though they are picking up everywhere too.
Author focuses on the fact that internet-only businesses are stsrting to ask for a non-internet identifier.
For people who are getting onto the internet with their new smartphones in 2021, they may not have an email.
Yes, it's hard to use google play without a google account, but they may skip that, or have a young person fill that out.
If you made it this far without email, you're unlikely to start now.
That is kind of the point isn't it. Despite all its shortcomings it's a useful identifier because of its scarcity.
Btw, the domain name system and x.509 would not work either without scarcity and trust delegation.
In fact if I remember correctly some newly re-imagined digital 'networks' like Urbit also opted for scarce identifiers, because they work out better economically.
Perhaps the point is not what the technology allows, but the status quo around what constitutes an 'acceptable' form of identification. Whatever the solution (for personal identification) it needs to be somewhat scarce, but also ubiquitous. But different applications need different level of scarcity. Phone numbers just seem to be the right balance for social media.
What's the advantage of not having a number, over having a number that doesn't make your phone ring?
Also: getting those stupid SMS codes when you are in another continent, it's basically impossible. So what's the point of all of this?
The author may as well live in the woods in a faraday cage with a tinfoil hat at this point.
For security purpose, email or any 2 factor authentication system is better.
For providing uniqueness, as already proven by the current market, it's easy to get a new number for free and bad actors can automate that for a price.
I would say if you're doing a service where uniqueness matters, you should rely to government documents verification (eg. https://identity.stripedemos.com/, 1.5$ per user), which, unfortunately, we're all required to have.
That said, no big tech exec will listen to this.
It's not all bad, I don't really need one more reason not to use Twitter or Google.
I have a personal mobile number, a personal mobile number from the country I used to live in, and two work numbers. If I take a longer trip somewhere, I might have another mobile number for a few weeks.
I don't have one now, but landline numbers are generally shared between a whole household.
I can get E.164 numbers for $0.85/month from a VoIP provider, which is comparable to the cost of a domain name. There are plenty of VoIP providers that can port phone numbers from landlines or cell phones to VoIP. There are more similarities to domain registrars than differences.
The number you get from a VoIP provider is also at substantial risk of being in a "ghetto", whereby it mysteriously cannot receive verification code SMSes, or is discriminated against by tech companies who want a "real" number, etc.
The perfect counter example is how email addresses are treated. The vast majority of consumers went with email addresses provided by their internet providers when they signed up 20 years ago. As a competitive ISP, there is no process comparable to Local Number Porting available for email addresses. I have potential customers who have run their business through firstname.lastname@example.org for so long that they refuse to change ISPs because they are unwilling to change that email address. If emails were regulated more like phone numbers, end users would be able to change ISPs and get a forwarding record. That is absolutely not the case for IP addresses and email addresses. That's a pretty major hole that you are ignoring.
With a phone number, legislation was required to enable some of that (keeping a phone number when switching operators). It still does not work across countries, for instance. With legislation, email forwarding could be just as simple indeed, but at least you can solve that problem once yourself!
Basically, for all its problems, email is a technically better solution.
There are practical problems with email too: Gmail will frequently put my emails into spam folders of recipients because my mail server doesn't send enough emails regularly to be treated as trusted server (perhaps I need to start spamming my own gmail accounts :)).
I've had my domains for years (15+) so the risk of losing them is mostly theoretical (other than forgetting to pay and lack of consumer protection past 1 month due to domain squatting).
The percentage of people that register their own domains are in the minority, and probably are a very small minority. The bulk of the public use domains controlled by their email provider, and they have need of something like LNP.
If email had a process similar to LNP to migrate addresses between providers, I'd agree with you, but it doesn't and nobody is pushing to do that either. Technically it would not be that hard to do. I'd love it if there was a redirect mechanism where attempts to deliver to a ported email address returned an SMTP code telling the sender to deliver a given address to another MX record. Email forwarding as currently implemented is absolutely awful as much of the information about the original sender (like IP address) is lost.
Don't have to imagine. Maybe not quite 80%, but probably most of them are.
If not, think you need to push for increased regulation or enforcement wherever you live if that's the case. Elsewhere regulation means it's sort of an identifier and fundamental changes to the role of domain registers would be needed to make email a feasible alternative.
Interestingly I am also now locked out of an old Gmail account I have had since 2005 in the same way; any attempt to merely login to it yields a demand for a phone number. There is no phone number filed for that account, so this cannot possibly be for "security". It is literally an attempt to extort a phone number out of me if I want access to my own data. One suspects this is probably against GDPR, of course...
There have been real incidents, including in the last few years, of high-value accounts of people being successfully hijacked via the hijacking of their phone numbers.
Every single practical problem that your post ascribes to SMS also applies to email. Approaching 100% of all email addresses in the world are not permanently attached to individual people and are entirely subject to the whims of entities like Google.
"Approaching 100%" is not "the email system". This is not a systemic issue with the design of the system itself and the system remains open. Personally I run my own email, yet it is not practically feasible for me to "run" my own telephone number in the same sense.
A well-run SMS system provides far greater security than SMS. Instead of comparing a well-run email system against a poorly-run SMS system, comparing well-run versions of both would feel like less of a straw man.
Maybe a particular technical representation does, but that's not a strong expression of whatever case you're trying to make. Nothing about sending text messages using phone numbers as identifiers necessitates or demands insecurity. Signal uses phone numbers as target identifiers for text messages too. Nothing about the phone number has any bearing on the rest of the chain. Nothing about sending messages necessitates sending them insecurely. Nothing about sending messages to phone numbers necessitates it being easy to steal phone numbers.
You could write three separate articles titled "I think all text messages should use encryption" and "I think I should be able to have my own identifier/namespace" and "I think it should be harder for someone to steal my identifier", but those issues have nothing to do with each other. And not only is only the most pointless one (choosing your own identifier/namespace) addressed by using email addresses, you're still living on borrowed time at the whims of domain registrars and DNS.
I didn't say anything about how Signal decides on routes. I said that Signal uses phone numbers as identifiers. If Signal wanted to make you verify "ownership" of your identifier some other way, that would not change anything about the nature of the system other than its ease of initial setup.
Both sending a message to a phone number assigned from a phone number registrar and sending a message to an internet domain name assigned from a domain registrar are sending messages addressed with identifiers assigned by registrars. Even if the implementations themselves differ, those differences are not condemnations of the principle of sending messages to identifiers. And it looks bad when you start using arguments like "phone number registrars are more gullible than domain registrars" as if that's not entirely circumstantial, speculative, and un-intrinsic to the technology or the business.
Edit: Yes, and I'm saying that the latter can actually be secure.
No, you misunderstand me. The reason I didn't say anything about the transport mechanism is because it doesn't make a fundamental difference. People hijack domains and internet packet routes through both technological and social engineering attacks literally all the time. None of the complaints in your post have anything to do with any essential or necessary characteristics of phone numbers or phone networks or phone service operators.
Email messages are routed to your domain by a gentleperson's handshake agreement between networks outside of your control plus a little bit of government regulation in exactly the same way that phone messages are routed to your phone by gentleperson's handshake agreement between networks outside of your control plus a little bit of government regulation. All possible arguments about routing trust being violated apply equally to both networks. All possible ideas about layering security on top of the network, like e.g. TLS handshakes, apply equally to both networks.
> It's patently obvious that to use phone numbers as identifiers you have to prove control over them at some point.
Signal doesn't ask for your phone number to prove the network path for your messages. What they're trying to assess is whether some entry in someone else's contacts list can be associated with your identity. If they wanted to, they could ask you to show up in person with a valid phone service contract and let them set up your client account directly. People just wouldn't bother to use Signal then.
> So what is to stop me from signing up for a Signal account using your phone number?
The same exact things that stop me from signing up for things using your email address. I could get someone to route requests for your domain to my servers if I had sufficient criminal intent.
Frankly I prefer it that way. I don't want to have to feel guilty every time I use my phone. The cost of my typical monthly usage could drop to five dollars and it would still force me to constantly think about whether what I'm doing is "worth it". Maybe I'm just a weirdo but I don't need that stress in my life.
With packet-switched, your call isn't typing a circuit, just a small portion of speed, and once your call ends, someone else can use it.
You need more lines to support circuit-switched networks than packet-switched networks.
So you should feel more guilty using circuit-switched technology than packet-switched technology.
Fortunately I think a lot of providers once you are out of the "last mile" to your house or business are using SIP even if internally. Where I work I'm seeing things like SIP over T1 instead of PRI.
Of course, it's a lot easier to multiplex SIP with other IP traffic, I don't think you can split a T1 as a couple PRIs and the rest IP, and even if you could, you probably couldn't do it dynamically. Having a system where data can use the bandwidth when you're not making calls, and calls can use it when you are is pretty valuable.