this post was submitted on 20 Jan 2025
804 points (98.4% liked)

Technology

60942 readers
3858 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
804
Stop Treating Phone Numbers As A Digital ID (notthesolution.substack.com)
submitted 4 days ago by [email protected] to c/[email protected]
140 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 288 points 4 days ago* (last edited 4 days ago) (12 children)

To the same audience: quit selling my fucking phone number!

I ditched a phone number I had for 10+ years because it was leaked everywhere. Only a few short months after updating my number with the DMV and a handful of other government agencies I started receiving scam calls/messages again.

At some point we need to adopt some fucking privacy laws. This is absolutely bonkers—is no one else fed up??

Edit: I already know how to silence unknown callers. What I want is to not have the problem in the first place, ideally by 1) having companies not sell personal data to third parties and 2) being able to block spoofed (non-encrypted) caller ID.

[–] [email protected] 120 points 4 days ago (5 children)

Oh everyone is fed up but we just elected a guy and government who is sure to make it all way way way worse.

He just helped put the nail in the coffin of the lie that crypto is for anything but scams, don't worry, it's gonna get real bad before it gets any better.

[–] [email protected] 26 points 4 days ago

In South Africa, where I live, everyone is assigned an ID Number at Birth. You need an ID number, thumbprint scan AND proof of address to get issued a SIM card number due to a law introduced called RICA. It was meant to help fight crime. Worried that the government could listen in to calls or read their SMSs, the criminals just switched to WhatsApp, which also happened to become cheaper than SMSs and gained popularity in this time.

The cops never seemed to crack WhatsApp. The only drug busts that happen are when an open secret becomes laughably too open and when they harass every person arriving from South America at O.R. Tambo international airport just to catch the decoy mules carrying 12g of cocaine (total). Every dealer I ever organised with was over WhatsApp.

So now, woopsi, RICA stopped nothing and just became a liability. That treasure trove of fragile data made its way to scammers and spammers. A total net negative.

I'd encourage everyone else in other countries to apply major pushback to any government proposals in this direction.

load more comments (4 replies)
[–] [email protected] 48 points 4 days ago (1 children)

I'm pretty sure a lot of scam calls use machines that call every possible phone number within an area code and see who answers. There is no way to avoid it.

[–] [email protected] 13 points 4 days ago (4 children)

this right here. I stopped getting scam calls years ago, I stopped answering and they just eventually stopped calling. If you don't interact with the call (interact being ignore it or mute it NOT reject it) and it just goes to voicemail, they seem to eventually stop

[–] [email protected] 13 points 4 days ago (2 children)

Lucky you. I've been letting calls from any number I don't recognize go to voicemail for years and nothing ever seems to change.

[–] [email protected] 13 points 4 days ago

Setup a whitelist, I think it's native on iPhone and there are multiple Android apps. Only calls from your contact list will ring through. My voicemail is, "You're getting this because you're not on my contact list, send a text and I'll get back to you."

load more comments (1 replies)
load more comments (3 replies)
[–] [email protected] 21 points 4 days ago (3 children)

lists sourced from drivers licenses and motor vehicle registration records are literally sold by some states.

load more comments (3 replies)
[–] [email protected] 16 points 4 days ago

quit ~~selling~~ demanding my fucking phone number!

FTFY

[–] [email protected] 11 points 4 days ago* (last edited 4 days ago) (1 children)

Australia has a "do not call register". It seems to mostly work, but telcos are having trouble with calls originating from outside the network with spoofed caller ID. We still get spam/scam calls from India among other places.

Even if they're not calling you directly, they are still using your phone number to link you to things and create a shadow profile behind the scenes.

load more comments (1 replies)
[–] [email protected] 6 points 3 days ago (1 children)

Don't worry, here in Europe we are full of privacy laws but I still receive tents of spam calls per day. Usually from non UE countries faking the number with my country numbers.

load more comments (1 replies)
load more comments (6 replies)
[–] [email protected] 117 points 4 days ago* (last edited 3 days ago) (3 children)
  • Phone numbers
  • social security numbers

Stop making personal information into digital ids because when it inevitably ends up in some kind of data breach. These companies all throw their hands up saying sucks to be you.

[–] [email protected] 19 points 3 days ago

Nah, man. Gotta get my $2.97 check.

[–] [email protected] 6 points 3 days ago (3 children)

What I hate is when they want you to store "secret" information like your mother's maiden name/ first pet name for later verifications. You know these are stored in plain text of course. My own damn government does this stupid shit, and they've had several hacks of PII including gun registrations because as far as I can tell, nobody competent works in government IT.

[–] [email protected] 4 points 2 days ago

I choose random questions and store the random passwords that I use as answers in my password manager. It's also more secure because people can't just Facebook stalk you for answers.

[–] [email protected] 2 points 2 days ago

Security questions don't care what you put in there. It's not an exam. It's basically just an alt password.

I just generate a string of alphanumeric text from my password generator and stuff those in there. If I lose my password vault somehow I'm cooked anyway, so.

load more comments (1 replies)
[–] [email protected] 13 points 3 days ago

Yeah, just generate a unique ID and ask only for the information you actually need.

[–] [email protected] 131 points 4 days ago (12 children)

This should be what digital ID looks like:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ26+ARYJKwYBBAHaRw8BAQdAsUGMjbGNUyyz9PHsHKP4xj/tIfYIuHb4miPH 0iCPpu60K0VSUk9SOiBFYXJ0aC5leGUgaGFzIGNyYXNoZWQgPG5vQGVtYWlsLmV4 ZT6IcgQTFggAGgQLCQgHAhUIAhYBAhkBBYJnbr4BAp4BApsDAAoJEI6E3uMn31Z3 028BAM5o8ER0dqTsxFlZSgZOvvgFHGuy2eFgF3rULkGKl1KrAP9fdE7WwnYbBer/ AVmw5jr0P5m/XsEQQrSueuk/FLYBBbg4BGduvgESCisGAQQBl1UBBQEBB0BDR0Bv pf4jxbwp9rVowFTnL59NGqnnh6XyF/LjAoYDGgMBCAeIYQQYFggACQWCZ26+AQKb DAAKCRCOhN7jJ99Wd1dMAP45xmN03SodkWHi7PYOORqNXJUBdMzzfsRXdqE8ZXaW vAD+PqNqPcbwJYCOEAXkg7DlZ0SX3o9MViZLdzHFQ3TpUA8= =krDh -----END PGP PUBLIC KEY BLOCK-----

PGP Key Fingerprint: 857957d40f06cc816fd3d29a8e84dee327df5677

Should be good until quantum computers come around

[–] [email protected] 65 points 4 days ago (1 children)

I'm sad PGP didn't become a popular way to log into websites. A challenge-response protocol could have even been built into web browsers. Big tech is reinventing that idea as Passkey, but with a very big tech flavor.

[–] [email protected] 30 points 4 days ago* (last edited 4 days ago) (1 children)

I mean, passkeys are... sort of... PGP... 🤷‍♂️

[–] [email protected] 22 points 4 days ago (6 children)

I'm already hearing about restrictions on exporting passkeys and some apps requiring that you're not running a custom ROM on Android and stuff like that. Makes me worried they're going to fuck that up and make it restrictive bs

load more comments (6 replies)
[–] [email protected] 25 points 4 days ago (8 children)

Now type it a form that doesn’t allow copy and paste.

load more comments (7 replies)
[–] [email protected] 20 points 4 days ago (1 children)

Thanks, gonna need your phone number to verify that though.

load more comments (1 replies)
load more comments (9 replies)
[–] [email protected] 31 points 3 days ago

Please. It is the most annoying part of trying to use some sites and I rather not give out my number to people who store important info in plain text files.

[–] [email protected] 50 points 3 days ago

Bane of my life as about a year ago my dad switched his sim and immediately started pestering me about not being able to log into his accounts.

Yes he got rid of the old number completly and expected me to somehow make his logins work. This is still going on to this day when he complains to me something doesn't work it's because he's tied it to his old phone number.

[–] [email protected] 8 points 3 days ago

Internet security and internet privacy are only incompatible goals when combined with incompetency and shit user-exerience design.

[–] [email protected] 45 points 4 days ago (6 children)

It is the same thing that happened with US Social Security Numbers, which were originally just tracking numbers for that one purpose that were coopted by capitalists and treated like something special.

[–] [email protected] 13 points 4 days ago (1 children)

I remember I was flipping through some of my mom's old college stuff and there was a club that she was involved with and everyone listed their address and social security numbers. It was wild, no idea why they felt the need to collect socials. But this was a very long time ago.

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 20 points 3 days ago (23 children)

I'm in a quest to find a good email provider that doesn't ask for a cellphone or another email address while creating an account, cock.li used to do this but now it's "getting back on its feet"

[–] [email protected] 6 points 3 days ago

Just signed up for Tuta and they do not ask for this.

load more comments (22 replies)
[–] [email protected] 14 points 3 days ago (7 children)

I've been considering getting a pager or a burner phone just for this

[–] [email protected] 5 points 3 days ago (1 children)

Most phones are dual Sim these days

load more comments (1 replies)
load more comments (6 replies)
[–] [email protected] 4 points 3 days ago (1 children)

On this question of verification, I don’t have a particularly foolproof solution, but maybe there just isn’t one.

I can criticize the modern web for a lot of things, but as long as we have situations where we want to check whether an account is a real person, as opposed to FarmingBot #295038, they need something. I'm not a fan of phone verification, but I'd only criticize it when we have alternatives.

I'd even be in favor of some kind of one-way algorithm by which a trusted real-person-identifying entity could tell a random third party site: Yes, this is a genuine human.

[–] [email protected] 4 points 2 days ago* (last edited 2 days ago) (3 children)

The technology has existed since the 80s.

X509 certificates would allow a government agency to sign a digital identity indicating that it's legitimate, would allow for remote revocation in the event of loss or theft, and can be easily integrated with every existing computer and browser.

An issued physical card would resemble a credit card, with a chip in it. Other physical form factors can take the shape of USB-devices which bundle the card and the reader into a single device.

load more comments (3 replies)
[–] [email protected] 14 points 4 days ago (1 children)

Theres an LTT video where one of the boys intercept all Linus' calls and texts, classic prank.

[–] [email protected] 33 points 4 days ago

You mean the Veritasuim video with linus in it?

Source

[–] [email protected] 16 points 4 days ago

Are Internet security and Internet privacy incompatible goals?

They are if the security is tied to knowing that an account is a person.

[–] [email protected] 9 points 4 days ago* (last edited 4 days ago) (1 children)

Are internet security and internet privacy incompatible goals?

Yes. They are completely incompatible goals when anything relating to identity/being is linked to it. Examples of this could be anything from your name, to your behavioral patterns, to your phone number

Disregarding the entire possibility that ANY site is hack-able/breach-able, the issue stands that the reasons that most sites request PII is valid, for security reasons. There does not exist any valid method of ensuring users identity that does not violate users privacy. CAPTCHAS are proven inefficient, email domains are easy as a 1-2 click. Once the setup is done server side changing to a new address is as easy as changing your server settings and registering a new domain, then just pointing your MX records there. Heck depending on your postfix setup you might not even have to change server settings, if your account lookup is setup to ignore the domain and it all uses the same database. Even phone numbers have proven troublesome but its the least troublesome method available

The entire reason PII style setups are used, is because its an easy verification site side, but a hard to spoof verification customer side. Like the article says, phone numbers are hard to change for verification, many only let you change so many times in X period, and usually require some form of physical identity to register, and the ones who don't are forced such as VOIP style numbers get blocked.

We lack currently a good system aside from that, because at the end of the day, how do you prove you are who you say you are, without disclosing your identity. I personally think it should be fine to give up some PII for security purposes, but this NEEDS to be restricted only to security and should never be shared with any entity, and this includes government overreach. Alas this will never happen.

[–] AnAmericanPotato 9 points 4 days ago (1 children)

This assumes a legitimate need to prove who you are outside the context of that specific site, rather than just within it. Sometimes that need is real, sometimes it is not.

When it's not, and you only need to prove you are the same person who created the account, then a simple username and password is sufficient. Use 2FA (via authenticator app or key, NOT via SMS or email) on top of that. This allows users to prove to a sufficient degree that they are the owner of that account.

This is how most Lemmy instances work, for example. I can sign up by creating a username and password, with optional 2FA. They do not need my email. They do not need my phone number. They do not need my name, or my contacts, or anything else that is not related to my identity within their server.

I realize that this is untenable at large scales for any communications platform. Spam (and worse) is a problem wherever there are easy and anonymous signups. I'm honestly not sure how Lemmy is as clean as it is. I guess it's just not popular enough to attract spammers.

load more comments (1 replies)
load more comments
view more: next ›