To validate that a user is a person. The idea is to trust the phone companies that a person who happens to possess a phone number is actually a person.
I regularly work with industries that consume an ungodly amount of phone numbers, using prepaid SIM cards, and have them “preregistered” (registered by random people, or from sellers that ask random people to register the SIM, etc, there are plenty ways).
After that, as long as prepaid credit is added on the SIM often enough (about 20 bucks per year on average), the SIM will happily connect to phone networks. SIM cards and credit can easily be obtained for cash money, so the whole operation is as anonymous as money can be (given that you have the right considerations and care with IMEI numbers and when and where you turn your phone on).
I have myself used such a card to register my signal account without disclosing my identity, and it works to this day; but I didn’t put credit on it, because I got sidetracked, so now, I’m stuck with that number for as long as I keep my original phone.
Long story short, with a budget of 20 bucks a year per signal account, I could have as many signal profiles as desired. I don’t really call that a “protection”. 10 bucks initial fee (and then 20 bucks a year, including that initial 10 bucks fee) is a very ineffective barrier of entry against abuse: successful scam/spam/abuse campaigns can easily bring at least one order of magnitude more money than the initial cost with some pretty obvious basic care (not adding 100s of contacts immediately, etc).
The real solution here is, as always, not hand-holding users into obliviousness, and instead educate them and let them use their brain to determine if a contact request is legit or not. Past that point, if the protocol is designed properly, the communication should be relatively secure.
Signal is arguably doing too much here, and while I salute their intent, I also am pretty disappointed that they are relying on such a flawed method, which IHMO brings more harm than good (it absolutely breaks anonymity for power users), and advertise it as “worth it”.
I never said it was a good solution. There is no way to trust any validation that a user on the Internet is a person. But this way is cheap easy and most people aren’t gonna go through the effort of masking their identities.
Also one discrepancy in an audit of a phone number trusted user base sticks out enough for cops to make some progress.
To validate that a user is a person. The idea is to trust the phone companies that a person who happens to possess a phone number is actually a person.
Unfortunately, in reality, this isn’t a thing.
I regularly work with industries that consume an ungodly amount of phone numbers, using prepaid SIM cards, and have them “preregistered” (registered by random people, or from sellers that ask random people to register the SIM, etc, there are plenty ways).
After that, as long as prepaid credit is added on the SIM often enough (about 20 bucks per year on average), the SIM will happily connect to phone networks. SIM cards and credit can easily be obtained for cash money, so the whole operation is as anonymous as money can be (given that you have the right considerations and care with IMEI numbers and when and where you turn your phone on).
I have myself used such a card to register my signal account without disclosing my identity, and it works to this day; but I didn’t put credit on it, because I got sidetracked, so now, I’m stuck with that number for as long as I keep my original phone.
Long story short, with a budget of 20 bucks a year per signal account, I could have as many signal profiles as desired. I don’t really call that a “protection”. 10 bucks initial fee (and then 20 bucks a year, including that initial 10 bucks fee) is a very ineffective barrier of entry against abuse: successful scam/spam/abuse campaigns can easily bring at least one order of magnitude more money than the initial cost with some pretty obvious basic care (not adding 100s of contacts immediately, etc).
The real solution here is, as always, not hand-holding users into obliviousness, and instead educate them and let them use their brain to determine if a contact request is legit or not. Past that point, if the protocol is designed properly, the communication should be relatively secure.
Signal is arguably doing too much here, and while I salute their intent, I also am pretty disappointed that they are relying on such a flawed method, which IHMO brings more harm than good (it absolutely breaks anonymity for power users), and advertise it as “worth it”.
I never said it was a good solution. There is no way to trust any validation that a user on the Internet is a person. But this way is cheap easy and most people aren’t gonna go through the effort of masking their identities.
Also one discrepancy in an audit of a phone number trusted user base sticks out enough for cops to make some progress.
expired