I would spend the time to write this in my usual lovely article style, but I’m too upset to do that right now. To put it bluntly: email and phone numbers suck. They both need to die.
Emails
Security
Email, like many other protocols, was not originally designed with privacy or security in mind. You can get “less bad” email providers such as Proton Mail or Tuta Mail, but those only have basic privacy when contacting other emails using the same provider.
Email is one of many protocols designed in the early days of the internet before privacy and security were considered. Since then, there have been Band-Aid solutions added to email to give it some semblance of security, but it is still fundamentally insecure. It lacks many of the features that modern communication protocols like the Signal Protocol and SimpleX Chat Protocol have.
Aliases
One major flaw with emails is that people commonly use the same email for everything. That not only becomes a unique identifier, but it makes it nearly impossible to fight spam and puts all your accounts at risk if your email is breached.
A solution was created to fix this problem in the form of email aliasing services such as addy.io or SimpleLogin. These services allow you to create a large number of random email addresses that all forward to your real email address. This allows you to avoid using a unique identifier for every website, and block spam by simply disabling the email alias.
Email aliasing is great… when it’s accepted. Many services have begun blocking email aliases because aliasing eliminates a unique identifier. People (allegedly) use aliasing to create multiple accounts to abuse free services.
Overuse
Email is required to sign up on almost every website. As mentioned previously, it has many security flaws and email aliasing only partially helps. Websites abuse the fact that emails are supposed to be a unique identifier, so they use it for things like multi-factor authentication or login alerts. Neither of those are what email was designed for, and you only end up putting your account at risk by using it compared to authenticator apps like Aegis Auth or Ente Auth.
Email is also used to sign up for news letters, receive shipping alerts, send sensitive information for jobs and job applications, contacting most businesses, even logging into some computers. All of these pose a risk if you don’t use email aliasing or if your email is breached. What upsets me most is seeing open source software requiring email addresses, like GitLab, Codeberg, many Lemmy instances, etc. These shouldn’t request anything past a username and a password.
Email overuse has gotten so bad that many disposable email services like Maildrop have been created in order to generate throwaway emails to get past authwall screens. These should never be used for real accounts because anyone can access them and, as I mentioned before, most websites will allow you to login only by verifying your email.
Anonymous Email
Email providers are being hit with mass sign-ups because of how often email is used. Because of this, many email providers block you from signing up if you are connected to a VPN or Tor. This means that in order to create a single email address to do almost anything across the internet, you must give away your IP address to the email provider first, effectively deanonymizing yourself. The internet was supposed to be built to be free, but giving away your personal information to access content doesn’t sound very free to me.
Kill Emails
Emails are outdated, overused, and not private. They were never designed to be (ab)used the way they are right now. Even something as simple as setting up Git or GnuPG asks for your email, or signing up for a local event. This needs to stop. Using fake emails doesn’t solve the underlying problem.
Phone Numbers
Gratis
If you thought free emails were bad, imagine paying to have your privacy disrespected. A single phone number will cost you a monthly subscription, even if you only need to receive a single text. Prepaid SIM cards are becoming a dying art, especially in the United States. Most mobile phone operators will make you buy and activate an eSIM, which requires an egregious amount of personal information to activate (including email). Most payphones have been abolished too, meaning you can hardly pay by the minute anymore.
Security
Phone numbers don’t even pretend to be private or secure. It’s sent unencrypted to anyone with a $15 antenna, and intercepted by almost every government in the world. Salt typhoon showed just how abysmal cellular security really is. RCS and iMessage are slight steps up in terms of privacy (providing at least some encryption), but it barely provides any protection.
Phone numbers in this respect are even worse than email. SS7 attacks can trivially intercept communications by anyone without any user interaction. That is an easy way to grab multi-factor authentication codes sent via SMS. Despite all of these known issues, people still insist on using phone numbers for almost everything.
Aliases
While not free, you can use services such as MySudo to create phone number aliases. These aliases are really just real phone numbers, all of which you own. Unfortunately, these phone numbers are VoIP numbers, which many services block.
Overuse
Like emails, phone numbers are used in a lot of applications. Because they cost money, they are a better unique identifier than emails, since people are less likely to own multiple. Phone numbers may be required to create accounts, apply for jobs, do almost anything government related, and much more. All of this is done unencrypted and intercepted.
My favorite: in many places, you have to use a phone to contact non-emergency services. The homeless and other people who can’t afford phone numbers are unable to report crimes since there are no pay phones. Even visiting the police station in person will get you turned away and told that you must call (speaking from experience) no matter how much you try to convince them.
Thankfully, many times when a phone number is asked for you can put in a fake phone number without risk. For many applications, throwaway number services will also work. Applying for jobs, a lot of the time you will be asked for your phone number. If you simply inform them that you do not have a phone number, most will accept that or (at worst) give you a funny look. I would prefer email when applying for jobs anyways since you aren’t sprung with a sudden call.
Anonymous Phone Numbers
The only way to get an anonymous phone number (without risking buying second hand) is to buy a burner phone with cash, a prepaid (e)SIM, and use as much fake information as possible (even the area code). This will easily run you $45+, and requires a subscription to keep using it. Beware that the phone you use it with may disrespect your privacy in other ways.
Kill Phone Numbers
Phone numbers are one of the least private and least secure methods of communication. It is under active mass surveillance, and costs way too much money. It’s good to see younger generations moving away from phone numbers towards third party services (no matter how bad they are), because that means that there is hope of killing phone numbers once and for all.
Kill Both
Anyone can create an email. Anyone can buy a phone number. It should not be used as a unique identifier, and certainly should not be used for authentication purposes. We need to stop overusing insecure, nonprivate communications, and start normalizing using Signal usernames or SimpleX Chat addresses for general use. Currently, if you stick only those on your resume for your contact information, you will most likely not receive a message back. That needs to stop. Phone numbers and emails can get leaked and cause endless spam/scams compared to other forms of communication. There is no reason to keep using either option when so many better options are available.
Try to create a full software stack without using services that request your email or phone number, and you will begin to see just how bad the problem has gotten. Some services like Mullvad VPN and KYCnot.me have begun requiring no personal information at all to create an account, not even a password. They randomly generate account numbers to be used to login. I want to see more of that instead of…
spoiler
Please enter your first name.
- Must be at least 3 characters.
Please enter your last name.
- Must be at least 3 characters.
Please enter your date of birth.
- You must be at least 13 years old.
- The birthday we let you enter (01/01/1900) seems invalid.
Please enter your username.
- That username is taken
- Some characters are not allowed
Please enter a display name.
- Some characters are not allowed, but the requirements are different from anything else.
Please enter your email.
- Sorry, but that email is blocked
- We’ve sent a code to fakeemail@please.stop
- No email received
Please enter your phone number.
- We don’t accept VoIP numbers.
- We’ve also sent a code to +1 (555) 867-5309, because why not.
Please enter your password. We don’t know what passkeys are.
- Password must be longer
- Password is too long. We don’t know what hashing is.
- Password must not contain these characters. We still don’t know what hashing is.
- Password must contain these characters. We don’t know what a passphrase is.
Please enter your password again.
-
Passwords do not match.
-
[ ] I agree to the Terms of Service.
-
[ ] I agree to the Privacy Policy.
-
[ ] I agree that the information I entered is correct.
Sorry, you’ve been blocked. Your IP address has been flagged for abuse.
Please enable JavaScript to continue.
Something went wrong, and we couldn’t create your account. Please start over.
Your account has been flagged as spam.
Please enable email or SMS 2FA before activating 2FA through an app.
Please verify your email or phone number every time you log in.
New Email: We noticed a new login. What’s a VPN? Doesn’t everyone store browser cookies forever?
All email notifications are enabled by default.
Please verify your email and phone number before deleting your account.
Your account information you requested to download will be emailed to you within 3-5 business days as if a human needs to approve it.
We’ve reset your password for no reason at all. Please verify your email or phone number to reset your password.
Lost access to your email or phone number? Tough luck. Please contact support.
Need to contact support? Email us or call us.
This call may (will) be monitored or (and) recorded for “quality and assurance purposes”.
“Can you please verify your phone number?” …you mean the phone number I’m calling you from?
Don’t kill emails. They’re the only way of cross-platform communication that we have remaining
deleted by creator
By cross platform i mean that you can send message from one server (e.g. proton mail) to another (e.g. gmail)
This is not possible with signal, or any other messengers because email is a protocol and not a software
The adjective ‘federated’ is often used for these protocols. There are federated protocols other than email: XMPP, Matrix, ActivityPub, etc.
I think they mean that it not only isnt tied to a specific plattform (PC, Mobile, Laptops,…) but also it isnt tied to a platform (like Whatsapp, Instagram, Facebook or Signal). This also means that there are different clients for that protocol
Could web key directory be adopted for cross platform communication?
https://www.privacyguides.org/en/basics/email-security/?h=email#email-encryption-overview
Xmpp, you know…
Sorry, you've been blocked. Your IP address has been flagged for abuse. Please enable JavaScript to continue. Something went wrong, and we couldn't create your account. Please start over. Your account has been flagged as spam.
My god how many times have I been through this… Living with debloated phone, hardened browser, VPN, Linux, sure isn’t easy every day :/// !
I totally agree, It shouldn’t be soo hard to value your own data/privacy and sometimes it feels like I’m fighting the wind.
It used to be a breaze with linux, mozilla and AirVPN up till a few years ago. Now, it’s almost impossible to navigate the web, use public authority websites without having to disable VPN and all the privacy focused plugins of Mozilla. It makes you realise how invasive the internet has become. Even for people in this group that are above average aware of privacy risks, its just so hard. The internet would have to be redesigned by privacy conscious people but that will never happen as big tech would see their interests at risk and would strongly oppose. How do you get people to switch to Simple X Chat when I struggle to get them to use Signal.
I couldn’t keep reading this. Too detached from reality. Email is as secure as you should expect it to be, and it serves an important function. I assume you have no real workable alternative in mind.
I agree. OP is losing it a bit. Email isnt going anywhere anytime soon, and is actually a pretty decent form of communication for business
Emails aren’t good. They’re still miles better than any of the alternatives.
New idea: TCP/IP is way too old and was never made to be secure(especially with ARP and DNS) so we need to kill them. We should definitely use Reticulum instead and use its LXMF to send messages and cryptographic identities to login to services.
Good luck getting people to change :)
Having your own domain would solve most of your complaints about email. It’s valid, controlled by you, filtered for spam however you desire, and you can have as many addresses on that domain as you want, without aliasing, and they’ll still all go to you.
Unfortunately then the domain becomes a unique identifier. It still doesn’t fix the security issues with email itself.
You also end up giving away a lot of personal information to the domain registrar, which is less anonymous than third party email providers.
deleted by creator
Right but, like, that doesn’t solve any problems. Because then the domain is unique to you.
I thought about this years ago and my best solution was a system to establish a profile, like a vCard with public/private keys that would generate SHA keys to authenticate with services to forward/verify communications. Instead of email, a key and domain or MX; instead of phone numbers a SHA number.
The user could burn contacts or accept invites and stuff.
What you’re describing is somewhat the basis behind passkey authentication and how services like SimpleX Chat or Session operate. One day (I hope) this will become the standard.
SimpleX is not perfect but they do get something very right: Anyone who contacts you needs an invitation. You can make your invitation public and then rotate it periodically such that it loses all value to databrokers. You can choose to make that invitation anonymous, as can your senders.
One good thing from email is Delta chat. It’s encrypted messaging built on the email infrastructure which is decentralized. In principle that’s better than the likes of Signal, just not as refined yet. We shouldn’t kill all these existing things but rather leave them for applications that they work well for that benefit the people that need those things.
Here are some good resources to compare different messaging apps:
In general, my pick would be SimpleX Chat, since it too is decentralized, but also provides things that Delta Chat does not, such as post-quantum encryption.
deleted by creator
Did simplex fix their desktop app?
I wasn’t aware there was anything wrong with it.
is it even possible to get non kyc’d number to make a signal account
You can buy a phone number anonymously with the ways I described, or pay for verification. Either way, you only need to verify the phone number once and never again (unless you want to change it).
Hi. Nice write up. Throwing in my two cents.
I would not kill e-mail, only because it is still one of the few distributed messaging protocols out there which is common. I agree with you about the privacy and security issues - and I think about email as a fully public medium (think public mailing lists and so on). Totally unsuitable for second factor and private (1-1) communication though.
Sadly the only way this will change is if more services accept truly decentralized authentication AND they ALSO can implement moderation and spam control that can work with this. So for those of us on the technical side this means contributing for open source projects (e.g. lemmy, etc) with:
- authentication back ends for TLS client certificates (if gemini can do it why can’t HTTP? browsers used to support this)
- good moderation tools to prevent abuse that can work with such authentications - this means avoiding storing state on the service for a “sign up”; it can also mean implementing proof of patience/work e.g. a long time ago there was this for HTTP https://datatracker.ietf.org/doc/html/draft-sporny-http-proofs-01
Getting these two things right is hard work. You have implement somewhat annoying things in your interface like 1) your account only becomes active after X time or after approval 2) proof of work or rate limiting of posts, etc. But ultimately this already happens anyway in current systems, it is just opaque (and based on your IP/email/phone).
On another front, communicating privacy compromises about these things is really hard, imagine drawing a big fluxogram with a rule set for someone to follow
- talking loudly in public -> e-mail/
- … (insert your chat medium here - with analogy)
- for really private conversations 1-1 -> SimpleX
- everything else is rubbish and we have no idea what they do, assume someone is reading over your shoulder
I think there is one thing that we systematically get wrong - we continue to create tools that do both direct messaging (1-1) and large groups which causes people’s expectations of privacy to be wrong (e.g. end to end encrypted means nothing in a group chat w/ 1000 people and public access).
Finally for fun and laughs, try saying no when someone asks for your email/phone - behave like you have neither. Malicious compliance works wonders with this, give them their number as your number.
PS: I am going to steal this quote of yours “imagine paying to have your privacy disrespected” about phones. Hell I’m making t-shirts and stickers.
Finally for fun and laughs, try saying no when someone asks for your email/phone - behave like you have neither.
I did that recently. The lady wanted to exchange phone numbers about a business opportunity. When I told her that I was a very private person, not accustomed to handing out my phone number to strangers and asked her for hers, she gave me some fake number. No biggie.
Also, for all those spam calls and texts, the way I do it on my phone is: If you call me, and your name is not in my rather extensive contact list of friends, family, acquaintances, or business associates, and you don’t leave a message, I’ll outright block you.
I don’t think people could have predicted how big of a need privacy and security would be on the internet or that the western world would so quickly embrace fascism / authoritarianism after barely a generation has past since WWII
DEAR GOD YES
I use mail accounts and a phone number like abybody else (Proton, Tuta, Murena) and Iknow that the mail direction is an unique identifier which can be tracked, exept if you usean alias. Because of this I avoid as much possible services or apps which need an account (the worse are those which say “Log in with Google or Facebook”). Naturally better are those which creat an user ID instead of an accoun and the best which don’t need an account an can be used anonym. Anyway the Q-Day is near, when any privacy measures and anything else are going to hell.
Q-Day refers to the moment when quantum computers become powerful enough to break current encryption methods, particularly RSA encryption that secures much of today’s internet communications[1].
Recent estimates from cybersecurity experts suggest a one-in-three chance that Q-Day will occur before 2035[1:1]. The Global Risk Institute’s latest assessment indicates a 15% chance it has already happened in secret[1:2].
Major implications of Q-Day include:
- Vulnerability of encrypted data including emails, financial transactions, medical records, and military communications[1:3]
- “Harvest now, decrypt later” attacks where nation-states collect encrypted data to decode once quantum computing capabilities mature[1:4]
- Risk to critical infrastructure like power grids, military systems, and financial networks[1:5]
Some companies have begun implementing quantum-resistant security measures:
- Apple introduced its PQ3 protocol in March 2024 for iMessage[2]
- Signal has integrated quantum-resistant algorithms into its messaging platform[2:1]
- NIST released its first set of post-quantum encryption standards in summer 2023[1:6]
President Biden signed an executive order in early 2025 requiring government agencies to implement NIST’s quantum-resistant algorithms “as soon as practicable,” accelerating the previous 2035 deadline[1:7].
You will get your wish but it’s not what you want. Regulations will soon require https://id.me/ and valid gov linked identification for all websites. Watch…
I use temp numbers to register things with , got plenty of signal and telegram accounts for different things. Bad is that i can’t move to another device ever without loosing the account , but itss quite cheap for a one time cost. But yeah wish matrix would be standard
deleted by creator