📆 August 10, 2023 | ⏱️ 11 minute read | 🏷️ computing

Re: Phone numbers must die

This entry is a commentary on the article written by Hugo Landau titled “Phone numbers must die”. I’ll be quoting from it heavily. Let’s get started.

“I neither have, nor want, a E.164 number (phone number) at this time, so services which demand I offer them one are making an invalid assumption and, advertently or inadvertently, telling me to get lost.”

Very early on in the article is the first criticism of E.164 numbers. Hugo doesn’t explicitly say so here, but it’s implied that they are frustrated that so many services require a phone number.

I know what Hugo is going through here. As someone who also doesn’t want a phone number, I have struggled to avoid services which require one. My biggest obstacle so far has been banking. All the banks in Mexico require not only a phone number, but also a phone app, despite the fact that banks predate phones and phones have never been needed in the past to have a bank account. It took me some time to figure this out though.

Edit (20-03-2024): It isn’t 100% fair to say that all banks in Mexico require a phone app, but it isn’t far from the truth. BanCoppel is the only major bank I’ve found to be semi-usable without downloading a proprietary app. If there are other banks which don’t require an app, they certainly don’t advertise it. Even at BanCoppel, customers without the app have limited account functionality and interactions with bank employees are more difficult since they’re so accustomed to app-using customers.

In the first bank I tried, I was able to successfully make an account. I asked if a phone was required before I made the account and was told no. They said I could use the web interface. As I would find out later, a proprietary phone app (which also required a phone number) was needed to log into the web interface. I tried the app on someone else’s phone and found out it uses a dizzying array of seemingly redundant token-based authentication mechanisms which make it seem like whoever designed it didn’t understand the concept of a threat model. After looking into the app further, I discovered it included face-scanning, location tracking, and AI-based behavior tracking. Needless to say, I closed that account.

After that, I walked into another bank branch where there was a sign saying that one had to make an appointment over WhatsApp before talking to someone. I just walked out.

In the next bank, I was very clear that I didn’t want to use a phone or phone number. I was told that all banks in Mexico require proprietary smartphone apps. By refusing to use one, I’d be unbanked.

As if that weren’t bad enough, I found out that the bank apps strictly limit the configuration of the phone for “security reasons”, making it very difficult to run them on privacy-respecting roms. It’s as if they expect you not to exercise control over your phone, and discriminate against those who do. During testing, I did successfully get one working on stock Android after several hours of fiddling with settings and installing mods to spoof system information. The average user would have no chance.

In the end, since my only alternative was being unbanked, I signed up for a fintech company which doesn’t require a phone app. It still officially requires a phone number, but seems to work without one. It’s definitely not a permanent solution. In the future, I hope to find a more permanent solution that doesn’t require a phone nor a phone number in any capacity.

After “Phone numbers must die”, Hugo wrote another article titled “Having a bank account without having a phone number”, the first part of which recounts their own story of achieving phoneless banking in the UK. Apparently it’s still feasible over there. Go ahead and read it if you’re curious.

But phone numbers being mandatory doesn’t just leave phoneless people unbanked. It creates problems for attending university, socializing, finding a job, and other things which have never historically depended on having a phone number.

I think this brings up the important question of why people like Hugo and I go through so much trouble not to have a phone number when it’s just easier to have one. What reason is there not to have one? As it turns out, there are many. Here’s one of Hugo’s reasons:

“…Though I could trivially obtain a new SIM card to put in an old dumbphone, and with it a new E.164 number, this would force me to engage with the small number of carriers with spectrum and their variously obnoxious business practices, or the larger number of MVNOs which resell those carriers and are thereby forced to perpetuate their business practices, and thus can never truly be better than them.”

As Hugo states, one of the reasons it’s a problem that having a phone number has become a de-facto requirement is that telcos are evil oligopolies that fuck over their customers. Why should you have to give money to evil telcos just to get a bank account, or a job, or a university degree?

Given that the practical choice for the vast majority of people is between having a phone and phone number or being destitute, the telco contracts and software license agreements on phones are manufactured agreement. It’s a bastardization of real consent because there is no real alternative. When people sign these contracts, they’re not agreeing with the terms set by telcos or software vendors. They’re agreeing that they need a job. They’re agreeing that they want to participate in society. And they’re agreeing not to be left behind.

I would just add that requiring telephone numbers for performing basic functions in society is also bad because it necessitates having a phone. Yes, online telephony APIs exist, but almost nobody uses them for a personal phone number. I’ve already made quite a detailed journal entry talking about the harms of smartphones, but even dumbphones necessarily have 24/7 location tracking (that’s how the telephone network works). People shouldn’t have to submit to the surveillance or the addictive nature of phones just to function in society.

“The E.164 namespace addresses an international, and rather opaque, network of companies operating dubious business and billing practices. Many networks are being converted to packet-switched, VoIP architectures internally, but the chronological billing model borne of the economics of circuit-switched telecoms is kept alive as a facade, it no doubt being more profitable. In some ways no company has any power to rise above this, because they have to route calls to other networks which operate in the same way. The global PSTN thus forms a dubious world map of private fiefdoms, each with their own billing practices. The PSTN is never going to be weaned off the billing model of hundred-page price lists listing E.164 prefixes and associated per-unit-time call costs, despite the Internet by its very existence having proven that there are better ways to pay for and operate a global communications network. I object to the continued existence of this network, operated as it is.”

Here, Hugo is shifting from criticizing phone numbers to the global circuit-switched telephone network itself. The first part of the criticism is technical. Hugo points out that circuit-switching is so outdated that telecoms don’t even use it internally because of its inefficiency. Instead, they use Voice over IP, a packet-switched internet protocol. The packet-switched internet should have superseded the telephone network years ago, but the telephone network still remains alive today.

The second part of the criticism complains that the reason the telephone network remains alive is so that the oligopolistic telecoms can continue to greedily extract money from customers. There’s no technical reason that the telephone network shouldn’t be gone by now. We would all do just fine without it and without E.164 numbers. Some internet-based replacement for E.164 numbers could easily be realized.

While I completely agree with Hugo’s technical criticisms, I would point out that while the internet is superior to the telephone network, it also faces the same problem of oligopolistic control enforced by the network effect. Like the telephone network, the internet is largely controlled by only a few entities. The reason for this centralization is because the network stack is broken and outdated. We’ve known for decades about ways to improve it and create a more secure, decentralized internet, but it’s hard because, just like with the telephone network, there are vested interests who stand to lose power and money if the technology improves.

“The E.164 namespace is not secure, not only because carriers are prone to randomly reassign disused numbers. Not too many months ago were articles posted on HN about how a targeted attacker managed to obtain control of a organization’s staff member’s highly used E.164 number, probably just via social engineering. Since many accounts systems entertain the demonstrably false idea that E.164 numbers represent a more secure point of contact than other identifiers, such as an e. mail address, this creates a significant vulnerability, especially where users are forced to offer E.164 numbers unto this end.”

Fully agree. When I see online services using SMS as a form of multi-factor authentication, it drives me up a wall. SMS codes are not secure authentication! In my journal entry “Comparing Multi-Factor Authentication Methods”, I rated SMS code security as “weak” precisely because texts can be intercepted relatively easily via SIM swapping. As a user, there is no way to prevent this. The burden to protect your phone number rests entirely on the side of telcos, who have proven easy to socially engineer.

Also in my journal entry regarding multi-factor authentication, I rated email tokens as “fair” security. That is, perhaps not as strong as something like time-based one-time passwords when properly used (stored on a separate device), but definitely better than SMS codes. Hugo seems to agree with me about that:

“There are an array of procedural hazards regarding the security of ICANN domains, relating to a variety of suspension and forced-transfer-of-ownership procedures, such as those used for trademark disputes. It’s not a very accountable system, and one that operates independently of the courts, nor are ICANN domains something one truly owns. Nonetheless, understanding the threats posed to ICANN domains one controls, I trust and prefer them a lot more than E.164 numbers.”

I’ve also expressed the opinion that ICANN can’t be trusted and that you never truly “own” ICANN domains. But, I also trust and prefer ICANN domains over E.164 numbers.

“Probably the most laughable instance of telephone centricity however was when in a moment of madness I tried to sign up for a Twitter account. Upon submission of the registration form the Twitter website told me to sign up via the Twitter smartphone application instead, which was a truly bizarre non sequitur given that I hadn’t provided it any evidence I had a smartphone in the first place. Since in fact I do not, it was essentially telling me to get lost. What was hilarious however was that I succeeded in creating the account by running the Twitter application inside an (obviously E.164 number-free) Android VM, essentially proving that the whole thing was a spectacle of security theatre.”

I’ve also used Android VMs to avoid smartphone use. I once helped someone set up an Android VM with Microsoft’s multi-factor authenticator app so they wouldn’t have to mix their work data with their personal smartphone. I understand if the developers are just targeting mobile, but intentionally forcing users to use mobile apps to accomplish certain flows is awful design. Like Hugo said, what if the user doesn’t have a phone?

What’s particularly frustrating about this is that, as a user, I have no indication ahead of time which of the flows require the mobile app and which I can do on the web or desktop. It’s also not something company employees are used to thinking about, so they generally can’t give straight answers regarding which part of their services require a phone either. It’s like the example I mentioned with the bank that told me that I didn’t need a phone and then I found out later that I couldn’t even log in without their mobile app.

“What really irritates me about these demands for E.164 numbers, however, is how they represent an abandonment of what I would describe as “internet nativity”. When Google demands an E.164 number, they’re not demanding it despite the fact that E.164 is a somewhat closed, opaque network, but because of it. Basically everything bad about the E.164 namespace and its constituent organizations is precisely what makes it attractive to organizations for use cases like these. They prop up an opaque network by relying on it, because they find the very openness of the internet troublesome. This essentially represents a wilful vacation of the internet as the one true network, by an organization which is iconically associated with the internet itself. It’s a depressing move to see.”

Internet services require a phone number because they cost money and the user probably already has one. So it makes for a decent barrier against spam that doesn’t make the user spend extra money and doesn’t leave out (most) legitimate users. But as Hugo points out, coupling E.164 numbers with internet services detracts from “internet nativity”, creating a dependency on an opaque network run by oligopolies following questionable business practices.

If you run an online service or business which strictly depends on E.164 numbers and there’s no legal regulation forcing you to, then you’re just wrong. There are alternative ways to prevent spam and E.164 numbers certainly shouldn’t be used for authentication. There’s no excuse for requiring them. So please stop propping up this shite network and let phone numbers die already.