E.164 must die

The author of this article (HN comments) has written an article I've been meaning to write myself for some time.

I neither have, nor want, an E.164 number at this time, so services which demand I offer them one are making an invalid assumption and, advertently or inadvertently, telling me to get lost.

I used to have an E.164 number attached to a mobile phone, but this number was lost without warning due to a lack of use of the number; it was only ever used to receive SMS messages, and all incoming calls were ignored. Though I could trivially obtain a new SIM card to put in an old dumbphone, and with it a new E.164 number, this would force me to engage with the small number of carriers with spectrum and their variously obnoxious business practices, or the larger number of MVNOs which resell those carriers and are thereby forced to perpetuate their business practices, and thus can never truly be better than them.

The E.164 namespace addresses an international, and rather opaque, network of companies operating dubious business and billing practices. Many networks are being converted to packet-switched, VoIP architectures internally, but the chronological billing model borne of the economics of circuit-switched telecoms is kept alive as a facade, it no doubt being more profitable. In some ways no company has any power to rise above this, because they have to route calls to other networks which operate in the same way. The global PSTN thus forms a dubious world map of private fiefdoms, each with their own billing practices. The PSTN is never going to be weaned off the billing model of hundred-page price lists listing E.164 prefixes and associated per-unit-time call costs, despite the Internet by its very existence having proven that there are better ways to pay for and operate a global communications network. I object to the continued existence of this network, operated as it is.

The E.164 namespace is not secure, not only because carriers are prone to randomly reassign disused numbers. Not too many months ago were articles posted on HN about how a targeted attacker managed to obtain control of a organization's staff member's highly used E.164 number, probably just via social engineering. Since many accounts systems entertain the demonstrably false idea that E.164 numbers represent a more secure point of contact than other identifiers, such as an e. mail address, this creates a significant vulnerability, especially where users are forced to offer E.164 numbers unto this end.

Anecdote seems to suggest that many carriers are intensely vulnerable to this: something along the lines of "I have E.164 number X on this phone, can you transfer it to this SIM?" The SIM is scanned, and the number assigned to it, de-assigning it from whatever SIM it was previously assigned to. The social engineer claims that the given number is currently assigned to the phone in their hand, but this may not be properly checked.

There are an array of procedural hazards regarding the security of ICANN domains, relating to a variety of suspension and forced-transfer-of-ownership procedures, such as those used for trademark disputes. It's not a very accountable system, and one that operates independently of the courts, nor are ICANN domains something one truly owns. Nonetheless, understanding the threats posed to ICANN domains one controls, I trust and prefer them a lot more than E.164 numbers.

Every now and then, I try and sign up for a Google account. They demand an E.164 number, which is essentially a way of telling me to get lost. They don't accept any old E.164 number, though. Any type of E.164 number which threatens to approach anything I might actually want to use, if I were forced to choose between the various poor options for obtaining an E.164 number, such as common online telephony APIs, is disliked by Google's signup form (as well as, amusingly, Google Voice, or so I hear). This is interesting because while Google may dislike the abusability of these services, at the same time as far as I can tell there would be nothing unreasonable about using such a service to operate a single number for one's personal use; this would confer flexibility in routing, etc. So such blocking necessarily constitutes overblocking. Essentially Google demands I offer it an E.164 number that complies with its prejudices about what the "right sort" of E.164 number is.

Interestingly there are quite a number of websites which list E.164 numbers and display all of the SMS messages sent to them, seemingly intended for meeting precisely these verification requirements. Google seems to be on the ball about these, because most of them are either blocked prejudicially, or because they've already been used too many times. However, an occasional few, across dozens of country codes, Google will consent to dispatch an SMS to, but such SMS messages never arrive. This leads me to the following possible conclusions:

  1. Google has architected its verification SMS dispatch system to send SMSes in a deliberately rickety and unreliable manner, such that receivability further complies with Google's prejudices regarding what the "right sort" of E.164 number is, above and beyond what they can discern about an E.164 number ahead of time. Probability: probably low.

  2. The international SMS network is a shambolic and unreliable joke of a network. Probability: tiresomely plausible.

  3. The SMS providers for the aforementioned websites block messages which they perceive as being verification codes. There is evidence to suggest that this is a common practice, yet I am completely at a loss to hypothesise about the motives an organization might have to do this. At any rate, this introduces the issue of SMS neutrality, in the "yet another thing that's wrong with the PSTN" department. For example, I am aware of a person operating a venture in which you can buy the temporary use of an E.164 number with Bitcoin, probably supplied via some IP carrier service. This person claims that said supplier blocks verification SMS messages. How it is ascertained that an SMS message is a verification SMS message, or their motive for obstructing the passage of these messages is not explained. This person thus devised an additional business offering, in which they stockpile actual SIM cards. A fresh SIM card is kept loaded into an Android phone running a special program to transmit/receive SMS messages to a connected PC, and the use of this interface can be rented in a similarly self-service manner. When a rental has expired, the SIM card is swapped out by a human at some point subsequently, the SIM is never reused, and a fresh SIM is loaded, making the phone available for rent once more. Essentially the existence of these absurd requirements has spawned a cottage industry of aiding people to comply with them emptily.

The prevalence of Russian-operated websites selling accounts at big web properties (Google, etc.) (purpose-created ones, not stolen ones, AFAIK) suggests that the use of telephone verification as an anti-spam strategy is not terribly effective.

Probably the most laughable instance of telephone centricity however was when in a moment of madness I tried to sign up for a Twitter account. Upon submission of the registration form the Twitter website told me to sign up via the Twitter smartphone application instead, which was a truly bizarre non sequitur given that I hadn't provided it any evidence I had a smartphone in the first place. Since in fact I do not, it was essentially telling me to get lost. What was hilarious however was that I succeeded in creating the account by running the Twitter application inside an (obviously E.164 number-free) Android VM, essentially proving that the whole thing was a spectacle of security theatre.

What really irritates me about these demands for E.164 numbers, however, is how they represent an abandonment of what I would describe as "internet nativity". When Google demands an E.164 number, they're not demanding it despite the fact that E.164 is a somewhat closed, opaque network, but because of it. Basically everything bad about the E.164 namespace and its constituent organizations is precisely what makes it attractive to organizations for use cases like these. They prop up an opaque network by relying on it, because they find the very openness of the internet troublesome. This essentially represents a wilful vacation of the internet as the one true network, by an organization which is iconically associated with the internet itself. It's a depressing move to see.