Why are phone numbers a privacy problem?
September 14, 2021 / Alex Linton
Phone numbers are not private. Using your phone number can put your privacy at risk. If you’ve spent much time around the privacy movement, you’ve probably heard countless people lament the privacy shortcomings of phone numbers. It’s a huge problem, and phone numbers remain the achilles heel of plenty of privacy-focused apps such as Signal and Telegram. Avoiding phone numbers is a key part of Session, and anonymous sign-up is one of Session’s most-loved features. But because the opinion that phone numbers are a major problem is so widespread, sometimes people don’t stop to explain it.
Phone Numbers: The Silent Threat to Your Privacy in 2024
Phone numbers are no longer just a piece of contact information; they have transformed into powerful identifiers that can compromise your personal privacy. If you’ve spent any time in the privacy community, you’ve likely heard about the risks associated with phone numbers. The truth is, phone numbers are the Achilles heel of many privacy-focused apps like Signal and Telegram. That’s why Session was built from the ground up to avoid phone numbers entirely, offering anonymous sign-up as one of its most-loved features. But why exactly are phone numbers so dangerous?
From Contact Info to Identity Marker: The Evolution of Phone Numbers
Decades ago, phone numbers were simple—a way to call your friends or get updates from your doctor. But today, phone numbers have morphed into something far more invasive: a pseudo-social security number that ties you to nearly every online account. Whether it’s banking, healthcare, or social media, your phone number is often used as a verification tool, creating a direct link between your identity and the services you use. This reliance on phone numbers introduces a host of privacy concerns, turning them into a gateway for tracking and surveillance.
Why Changing Your Phone Number is a Privacy Nightmare
When was the last time you changed your phone number? If you’re like most people, probably never. Our phone numbers have become so deeply integrated into our lives that changing them would be an enormous hassle. It’s not just about updating your number with your bank or doctor—it’s also about losing contact with hundreds of people who have your number saved. Worse still, old numbers can be recycled and reassigned, potentially sending your personal information straight into a stranger’s inbox.
Bonded for life: When was the last time you changed your phone number?
Phone numbers are critical to the way we move about the world these days. Pretty much every service that lets you make an account—including essential services like banking and health—use your phone number for verification that you’re the real human that you’re claiming to be. This ever-increasing dependence on phone numbers makes it a logistical nightmare to try and change your phone number, and because of this...people just never change it.
Even as a privacy-conscious person, it has been years since I updated my phone number. Changing my digits wouldn’t just mean that I have to sit down and spend hours tracking down and change my on-file phone number at my doctor’s clinic, gym, work, and a million other places — it would also mean that hundreds of contacts from years of professional and personal number-sharing would (effectively) lose my phone number. Even worse, if my old number ended up getting recycled, then my personal messages could end up in someone else’s inbox.
Because of all this, people end up changing phone numbers less often than they change their actual, physical address. This is a big problem — over the years, you’ve probably entered your phone number into long-forgotten websites, petitions, and apps, and now your phone number is buried deep in all corners of the internet.
Match made in heaven: Databases linking you to your phone number
Because phone numbers are semi-permanent pieces of information about you, it makes it really easy to create up-to-date databases which link your real identity with your phone number. In lots of countries, you can’t even get a phone number without being on a government operated registry. And to make matters worse, this linkage can follow you across every platform where you provide your phone number.
That means that even if you sign up to a platform like Twitter with a fake name and a pseudonymous handle, as soon as you verify the account using your phone number it’s simple for Twitter, the authorities, or even other people to work out who’s really operating that account.
Some experts have even suggested that having someone’s phone number is more useful than their social security number if you want to dig up information about them. That’s because phone numbers are in the middle of the Wild West of information exchange. Your phone number is affiliated with hundreds of databases, and a lot of the time phone numbers flow freely along information pipelines.
Digging up the past: Phone numbers and metadata
Because of all this, phone numbers are one of the most valuable pieces of metadata that services can store. Using nothing but phone numbers, apps that might seem private become extremely vulnerable. This is especially the case for messaging apps like WhatsApp, which boast about their end-to-end encryption, but fail to mention how their account system leaves its users vulnerable.
Unfortunately, it is this precise vulnerability which exposed former Treasury Department official Natalie Edwards — a whistleblower who worked with Buzzfeed to disclose information about suspicious banking transactions evidencing Russian interference with American politics. Now, Edwards is serving a six month prison sentence for exposing this corruption.
Metadata collected and provided by WhatsApp proved pivotal in the arrest and conviction of Edwards, with hundreds of messages between Edwards and a Buzzfeed reporter successfully connecting Edwards to the leak. The time and frequency of the messages were strong evidence — because the phone numbers of both Edwards and the reporter used on their WhatsApp accounts were easily linked to their real identities, even if the message contents were encrypted.
Edwards’ story is unfortunate, and their work is commendable, but unfortunately the deliberate positioning of WhatsApp as a ‘private messenger’ led them to believe that a fundamentally flawed application was safe for them to use. This is just one such example, but there are undoubtedly many cases where the traces left behind by phone numbers have jeopardised the privacy and safety of people around the world.
Ditching those digits: Moving on from phone numbers
The privacy problems which phone numbers introduce are extremely well documented, but lots of major platforms are still hesitant to move on from the phone number standard. They are convenient, well-explored, and just plain valuable. But having said that, it’s time to break up with phone numbers — at least for the purpose of being a digital identifier.
Session uses public key encryption instead, which is an inherently ephemeral solution that gives users a whole lot more privacy. As more projects build platforms which don’t require a phone number, it’ll become easier and easier to write off apps that won’t give up on phone numbers. It’s time to leave them behind — things were never meant to be like this.
Session User Survey: What Drives You to Join Online Communities?
October 21, 2024 / Wesley Sukh
Celebrating Global Encryption Day
October 20, 2024 / Session
Introducing the Session Technology Foundation
October 15, 2024 / Session
Groups v2: a better way to connect with friends and family on Session
October 09, 2024 / Cameron Lee
The need for decentralised messaging
August 27, 2024 / Alex Linton
Connecting one million users
August 18, 2024 / Alex Linton