I would spend the time to write this in my usual lovely article style, but I’m too upset to do that right now. To put it bluntly: email and phone numbers suck. They both need to die.

Emails

Security

Email, like many other protocols, was not originally designed with privacy or security in mind. You can get “less bad” email providers such as Proton Mail or Tuta Mail, but those only have basic privacy when contacting other emails using the same provider.

Email is one of many protocols designed in the early days of the internet before privacy and security were considered. Since then, there have been Band-Aid solutions added to email to give it some semblance of security, but it is still fundamentally insecure. It lacks many of the features that modern communication protocols like the Signal Protocol and SimpleX Chat Protocol have.

Aliases

One major flaw with emails is that people commonly use the same email for everything. That not only becomes a unique identifier, but it makes it nearly impossible to fight spam and puts all your accounts at risk if your email is breached.

A solution was created to fix this problem in the form of email aliasing services such as addy.io or SimpleLogin. These services allow you to create a large number of random email addresses that all forward to your real email address. This allows you to avoid using a unique identifier for every website, and block spam by simply disabling the email alias.

Email aliasing is great… when it’s accepted. Many services have begun blocking email aliases because aliasing eliminates a unique identifier. People (allegedly) use aliasing to create multiple accounts to abuse free services.

Overuse

Email is required to sign up on almost every website. As mentioned previously, it has many security flaws and email aliasing only partially helps. Websites abuse the fact that emails are supposed to be a unique identifier, so they use it for things like multi-factor authentication or login alerts. Neither of those are what email was designed for, and you only end up putting your account at risk by using it compared to authenticator apps like Aegis Auth or Ente Auth.

Email is also used to sign up for news letters, receive shipping alerts, send sensitive information for jobs and job applications, contacting most businesses, even logging into some computers. All of these pose a risk if you don’t use email aliasing or if your email is breached. What upsets me most is seeing open source software requiring email addresses, like GitLab, Codeberg, many Lemmy instances, etc. These shouldn’t request anything past a username and a password.

Email overuse has gotten so bad that many disposable email services like Maildrop have been created in order to generate throwaway emails to get past authwall screens. These should never be used for real accounts because anyone can access them and, as I mentioned before, most websites will allow you to login only by verifying your email.

Anonymous Email

Email providers are being hit with mass sign-ups because of how often email is used. Because of this, many email providers block you from signing up if you are connected to a VPN or Tor. This means that in order to create a single email address to do almost anything across the internet, you must give away your IP address to the email provider first, effectively deanonymizing yourself. The internet was supposed to be built to be free, but giving away your personal information to access content doesn’t sound very free to me.

Kill Emails

Emails are outdated, overused, and not private. They were never designed to be (ab)used the way they are right now. Even something as simple as setting up Git or GnuPG asks for your email, or signing up for a local event. This needs to stop. Using fake emails doesn’t solve the underlying problem.

Phone Numbers

Gratis

If you thought free emails were bad, imagine paying to have your privacy disrespected. A single phone number will cost you a monthly subscription, even if you only need to receive a single text. Prepaid SIM cards are becoming a dying art, especially in the United States. Most mobile phone operators will make you buy and activate an eSIM, which requires an egregious amount of personal information to activate (including email). Most payphones have been abolished too, meaning you can hardly pay by the minute anymore.

Security

Phone numbers don’t even pretend to be private or secure. It’s sent unencrypted to anyone with a $15 antenna, and intercepted by almost every government in the world. Salt typhoon showed just how abysmal cellular security really is. RCS and iMessage are slight steps up in terms of privacy (providing at least some encryption), but it barely provides any protection.

Phone numbers in this respect are even worse than email. SS7 attacks can trivially intercept communications by anyone without any user interaction. That is an easy way to grab multi-factor authentication codes sent via SMS. Despite all of these known issues, people still insist on using phone numbers for almost everything.

Aliases

While not free, you can use services such as MySudo to create phone number aliases. These aliases are really just real phone numbers, all of which you own. Unfortunately, these phone numbers are VoIP numbers, which many services block.

Overuse

Like emails, phone numbers are used in a lot of applications. Because they cost money, they are a better unique identifier than emails, since people are less likely to own multiple. Phone numbers may be required to create accounts, apply for jobs, do almost anything government related, and much more. All of this is done unencrypted and intercepted.

My favorite: in many places, you have to use a phone to contact non-emergency services. The homeless and other people who can’t afford phone numbers are unable to report crimes since there are no pay phones. Even visiting the police station in person will get you turned away and told that you must call (speaking from experience) no matter how much you try to convince them.

Thankfully, many times when a phone number is asked for you can put in a fake phone number without risk. For many applications, throwaway number services will also work. Applying for jobs, a lot of the time you will be asked for your phone number. If you simply inform them that you do not have a phone number, most will accept that or (at worst) give you a funny look. I would prefer email when applying for jobs anyways since you aren’t sprung with a sudden call.

Anonymous Phone Numbers

The only way to get an anonymous phone number (without risking buying second hand) is to buy a burner phone with cash, a prepaid (e)SIM, and use as much fake information as possible (even the area code). This will easily run you $45+, and requires a subscription to keep using it. Beware that the phone you use it with may disrespect your privacy in other ways.

Kill Phone Numbers

Phone numbers are one of the least private and least secure methods of communication. It is under active mass surveillance, and costs way too much money. It’s good to see younger generations moving away from phone numbers towards third party services (no matter how bad they are), because that means that there is hope of killing phone numbers once and for all.

Kill Both

Anyone can create an email. Anyone can buy a phone number. It should not be used as a unique identifier, and certainly should not be used for authentication purposes. We need to stop overusing insecure, nonprivate communications, and start normalizing using Signal usernames or SimpleX Chat addresses for general use. Currently, if you stick only those on your resume for your contact information, you will most likely not receive a message back. That needs to stop. Phone numbers and emails can get leaked and cause endless spam/scams compared to other forms of communication. There is no reason to keep using either option when so many better options are available.

Try to create a full software stack without using services that request your email or phone number, and you will begin to see just how bad the problem has gotten. Some services like Mullvad VPN and KYCnot.me have begun requiring no personal information at all to create an account, not even a password. They randomly generate account numbers to be used to login. I want to see more of that instead of…

spoiler

Please enter your first name.

  • Must be at least 3 characters.

Please enter your last name.

  • Must be at least 3 characters.

Please enter your date of birth.

  • You must be at least 13 years old.
  • The birthday we let you enter (01/01/1900) seems invalid.

Please enter your username.

  • That username is taken
  • Some characters are not allowed

Please enter a display name.

  • Some characters are not allowed, but the requirements are different from anything else.

Please enter your email.

  • Sorry, but that email is blocked
  • We’ve sent a code to fakeemail@please.stop
  • No email received

Please enter your phone number.

  • We don’t accept VoIP numbers.
  • We’ve also sent a code to +1 (555) 867-5309, because why not.

Please enter your password. We don’t know what passkeys are.

  • Password must be longer
  • Password is too long. We don’t know what hashing is.
  • Password must not contain these characters. We still don’t know what hashing is.
  • Password must contain these characters. We don’t know what a passphrase is.

Please enter your password again.

  • Passwords do not match.

  • [ ] I agree to the Terms of Service.

  • [ ] I agree to the Privacy Policy.

  • [ ] I agree that the information I entered is correct.

Sorry, you’ve been blocked. Your IP address has been flagged for abuse.

Please enable JavaScript to continue.

Something went wrong, and we couldn’t create your account. Please start over.

Your account has been flagged as spam.

Please enable email or SMS 2FA before activating 2FA through an app.

Please verify your email or phone number every time you log in.

New Email: We noticed a new login. What’s a VPN? Doesn’t everyone store browser cookies forever?

All email notifications are enabled by default.

Please verify your email and phone number before deleting your account.

Your account information you requested to download will be emailed to you within 3-5 business days as if a human needs to approve it.

We’ve reset your password for no reason at all. Please verify your email or phone number to reset your password.

Lost access to your email or phone number? Tough luck. Please contact support.

Need to contact support? Email us or call us.

This call may (will) be monitored or (and) recorded for “quality and assurance purposes”.

“Can you please verify your phone number?” …you mean the phone number I’m calling you from?

  • rrobin@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    2 months ago

    Hi. Nice write up. Throwing in my two cents.

    I would not kill e-mail, only because it is still one of the few distributed messaging protocols out there which is common. I agree with you about the privacy and security issues - and I think about email as a fully public medium (think public mailing lists and so on). Totally unsuitable for second factor and private (1-1) communication though.

    Sadly the only way this will change is if more services accept truly decentralized authentication AND they ALSO can implement moderation and spam control that can work with this. So for those of us on the technical side this means contributing for open source projects (e.g. lemmy, etc) with:

    1. authentication back ends for TLS client certificates (if gemini can do it why can’t HTTP? browsers used to support this)
    2. good moderation tools to prevent abuse that can work with such authentications - this means avoiding storing state on the service for a “sign up”; it can also mean implementing proof of patience/work e.g. a long time ago there was this for HTTP https://datatracker.ietf.org/doc/html/draft-sporny-http-proofs-01

    Getting these two things right is hard work. You have implement somewhat annoying things in your interface like 1) your account only becomes active after X time or after approval 2) proof of work or rate limiting of posts, etc. But ultimately this already happens anyway in current systems, it is just opaque (and based on your IP/email/phone).

    On another front, communicating privacy compromises about these things is really hard, imagine drawing a big fluxogram with a rule set for someone to follow

    1. talking loudly in public -> e-mail/
    2. … (insert your chat medium here - with analogy)
    3. for really private conversations 1-1 -> SimpleX
    4. everything else is rubbish and we have no idea what they do, assume someone is reading over your shoulder

    I think there is one thing that we systematically get wrong - we continue to create tools that do both direct messaging (1-1) and large groups which causes people’s expectations of privacy to be wrong (e.g. end to end encrypted means nothing in a group chat w/ 1000 people and public access).

    Finally for fun and laughs, try saying no when someone asks for your email/phone - behave like you have neither. Malicious compliance works wonders with this, give them their number as your number.

    PS: I am going to steal this quote of yours “imagine paying to have your privacy disrespected” about phones. Hell I’m making t-shirts and stickers.

    • irmadlad@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Finally for fun and laughs, try saying no when someone asks for your email/phone - behave like you have neither.

      I did that recently. The lady wanted to exchange phone numbers about a business opportunity. When I told her that I was a very private person, not accustomed to handing out my phone number to strangers and asked her for hers, she gave me some fake number. No biggie.

      Also, for all those spam calls and texts, the way I do it on my phone is: If you call me, and your name is not in my rather extensive contact list of friends, family, acquaintances, or business associates, and you don’t leave a message, I’ll outright block you.