Educate me on phone number security

Ok, new to Linux, as the L14 will be my first foray into this, and I’m looking hard at the L5 sometime this year, if funds allow it, so bear with me if this seems a dumb question.

To begin with, I try to use the Signal messaging app whenever I can. After reading the dozens of comparison, reviews, etc, at least all I can, online, I decided on that app. With Wickr as a backup for when either party doesn’t wish to exchange numbers for whatever reason. And I would be glad to hear of other options any of you deem to be better, and why, of course.

The one flaw, or drawback I always see people mention with Signal is, they need a phone number. But, and I’m a newbie here on security/privacy, it seems your online/phone/etc profile is built around circles of connections, whether it be friends, family, work, your banks, credit cards, etc. (how social media does it, i.e. fakebook, google, etc.)
In other words, they can figure out who you really are because of all these connections, whether by phone number, email addresses, home addresses, that overlap, etc. And, you have a phone number on record with your banks, credit cards, cable company, phone bill, doctors, clubs, local food delivery, and every contact you have, and probably dozens of other I can’t think of right now.

So am I wrong in thinking Signal having the number is unavoidable anyway? Seems even with the Purism AweSIM, you are going to use the phone basically, well, as a phone, and if your daily driver, that number will be connected to you and anyone wishing to figure out who actually owns the phone attached to that number, should be easily done, as you use the number in all the same places as before. As soon as you call several friends, I’m sure there is a algorithm that will say, hey, so the same connections pattern is being tracked as this iphone/android number was, or whatever, so it’s likely still “John Smith” that owns this phone.

So, at the end of the day, is the actual phone number the one thing that is almost impossible to hide? That hiding/encrypting actual data such as the messages/conversations themselves, is more plausible?

Thanks in advance folks for any and all input on this!

2 Likes

There is so much in this. I’m only going to mention a few related points, so sorry about the rambling tone. Due to the phone number thing, I haven’t reinstalled Signal for some time, so I have no idea what the current state of the signup process is.

Your phone number is a specific identifier of you. Like social security number or customer ID. It’s easily machine identifiable correctly, usually void of spelling mistakes of duplicates (same email or address may house several people, addresses change, there are similar addresses etc.). It’s not perfect but pretty close. That would be reasoning to obtain it. Not necessarily the the reason for Signal though, even in a nefarious case.

A drawback of many two factor authentications is that you are demanded to use your phonenumber for an SMS. Phone number ties you to a physical object that you carry around with you. That connects you to both paid services that may have your info as well as cell tower location (if not GPS or other tracking). That device also limits having too many spoofed ID:s, so I suppose it does do some good, but is not really an effective barrier on that. The phone is also a low level assurance, that you don’t just hand over your account to anyone. It’s a separate conversation what are the intentions and needs with Signal or any other app regarding those points, and should/could they be done differently.

Inferring identity from all that other data (like social network and information that your circle has leaked to identify the blind spot you may have bee building) is possible. It’s not an either-or but about levels of accuracy and certainty that you can affect by controlling how much information and how accurate information you intentionally and unintentionally release into the wild wild scarily mystified information ether. Always remember, that the information is not about you but also about your loved-ones. It’s unlikely this happens with Signal or L5, as this info is gleaned from Androids and Apples as the apps can have such privileges - one of the points of having a linux phone. I do not know enough of Signal however to say what info it can or does get from the app itself (meaning technical user data, not content). But, returning to one of your questions, no, it’s not unavoidable in the sense that if Signal profile is creatable without a phone number (or you create one using a temporary prepaid and their PIN-system), you should be pretty certain that your used number won’t leak via L5 (unlike with others). With FB (and most other “free” apps) you can be pretty certain that your address book etc. is copied.

Giving your number to signal - or anyone else - is a choice. Is it worth it is an individual question. It’s still easier to change your phone number every now and then than it is to change your social security number, if need arises (or just to make sure).

3 Likes

These links look like they could be useful:

5 Likes

Thank you for your reply. I suppose I did focus on Signal as the example, but just seems one has their phone number out to “X large” number of places, that adding one more is doing what? Certainly not helping of course, but is thinking, “how much worse can it be”, or “is one more place affecting that much” wrong? And as I said, using the Purism route of the AweSIM is doing the same thing, where if you have the other 37 bazillion pieces to connect the dots, figuring out who owns the phone the number is assigned to wouldn’t be that difficult for some entity?

I’m one of those boring normal nobodies that is not a target, nothing to hide, etc., just trying to figure out where my, or anyone’s focus, or priorities would be in trying to be fairly privacy/security focused? I just keep thinking, wow, my phone number is all over the place already!!! Or do I need 2 phones, one as merely a contact point for the various mundane places I need it, and the other for mobile data, conversations, texting, etc. or does the same result occur no matter what. And honestly, I never have thought about changing my number every so often. I’ve had mine for literally 15-20 I think. So yea, newbie me to all this.

And don’t want 37 phones to really confuse the 3 letter agencies should the need arise LOL

I think all your arguments, @bass20, are correct, and this is exactly why I decided against Signal. I prefer Matrix peer-to-peer network (with Element client). This is also what PureOS on Librem 5 and Librem 14 is going to support by default (but it’s work in progress yet AFAIK).

1 Like

I have been experimenting with callcentric. Basically it allows one to get an sms number for about $3.00 a month. You receives the sms’ as emails. Where I see that it could be valuable is in shielding your actual number.

If one were sufficiently organized, one could keep a list of where one has given this sms number and every so often change the sms number.

The challenge of this approach is, obviously, hidden in the conditional and I have not yet decided if I am sufficiently organized.

I should add that I am not particularly interested in confusing three letter agencies because I think that the return on effort (ROE) is too low. I am more interested in protecting my privacy from exploitation by surveillance capitalism.

1 Like

I saw this as well, thanks!

https://ctrl.alt.coop/en/post/signal-without-a-smartphone/

2 Likes

And I don’t suppose any way to use Matrix on iOS at this point?

Looks like it exists (but I didn’t try it):

1 Like

AFAIL Signal is working on beeing able to use without phone numbers. I don’t know how that will look and when it comes.

Signal is probably the most secure and cryptographically sophisticated messaging system. Despite the phone number issue there is some critics about beeing a proprietary centralized and closed network. Not closed source of course.

The Creator of Signal, Moxie Marlinspike, held a talk “The ecosystem is moving” at 36th chaos communication Congress (36th) of German hacker organization chaos computer club (ccc). He had some good arguments on why it is of advance that signal is centralized and proprietary. Me personally don’t agree totally with all of them.

I wonder why I can’t find the video anymore on

https://media.ccc.de

A good source for nerdy videos. Not only for skilled people.

By the way Signal once was asked for data by American state or jurisdiction and they couldn’t give them meaningful information because they store almost nothing (in plaintext).

Decentralized alternatives are XMPP and Matrix both of which need to register at some service or host your own service at least if you want to receive messages that were send while you were offline.

Also interesting is briar messenger which works over the Tor anonymization network and even without internet. I don’t understand fully how it works and didn’t try it, yet. It may be a robust and anonymous (as far as possible) messenger.

4 Likes

AFAIK that’s only the case where people are close to each other (not miles apart) and the devices can communicate DIRECTLY with each other (like on LAN)

Because that video being online is an error. Moxie asks now for his talks not to be posted online, because his talks always cause twitter storms. And the CCC folks did it by accident as their standard is to publish everything.
By the time it was pulled down, copies already existed elsewhere.

2 Likes

Honestly for me that talk was just a repeat of the 2016 article with the same name, which makes question if he even had a look at the XMPP ecosystem since 2016.

1 Like