@lackthereof no, it's not because unlike #Phones and #PhoneNumbers, #eMail is not necessarily traceable by circumstances.

• Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
  • Even if it's just some App/PBX/… to connect to the provider and constantly state "I am on the network and able to recieve calls!" (with PSTN networks, there a physical line that gets assumed to have a phone connected)…

Whereas with eMail (and any #asynchronous #communication) you don't have that requirement.

• So unless the provider is being taken over or otherwise "cooperative" there's no means for a sender to know where, when and how a message was retrieved unless the recipient wants the sender to know of it!
  • Besides, even if you don't have an eMail provider like cock.li which natively supports @torproject / #Tor useage with an #OnionService, unless said provider explicitly prevents you from doing so, you can use not just Tor but also other techniques to make it extremely hard (not necessarily impossible, but at least unfeasible at scale!) to get tracked down.
  • In fact, you could even use #Sneakernet - Style distribution through "#MeatProxies" and #DeadDrops (aka. #dr0p) to further twart tracing attempts.

Or to put it simple:

• You can ring up someone and thus circumstantially verify the chain of #PhoneNumber -> #IMSI -> #ICCID -> #SIM -> #IMEI -> Device -> Location -> Owner quite quickly.
  • Whereas you can't positively verify whether an eMail address and/or #XMPP+#OMEMO account belongs to me unless I want you to know that it does!

So either way a phone number is just a horrible means of doing that.

• And don't even get me started on the fact that legally speaking noone truly owns their number.
  • Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an OnionService which can only be shutdown effectively by sabotage aka. (more or less figurately) "unplugging" it.

I mean, it's not as if I didn't gave @signalapp a fair chance.

• I wanted #Signal to be good - honestly...
  • But I'm old enough that things rarely are that simple as #TechPopulism & #Propaganda claim it to be.
  • Just like 5th grade #SexEd is not a substitute for Endocrinology, Gynecology and Andrology and actually licensed, medical professionals.

So any #Messenger service that requires a #Phone Number for signup and/or useage is truly not a real replacement and inherently makes PROVEN WRONG assumptions [i.e. that it is legal and possible to obtain a phone number anonymously at someone's juristiction] about it's customers' ability to shield their privacy…

• Cuz all the "#Metadata" claims of Signal are complete #MarketingLies by virtue of them storing a Phone Number and not just being (as per admission by @Mer__edith) 'hard locked-in' with #aws but also subject to #CloudAct.
• They certainly are not deploying real #E2EE cuz you neither get #SelfCustody nor #SelfHosting and have to blindly trust them (aka. "#TrustMeBro!") that what they release as #SourceCode is actually what they deploy.
  • It's like all those "#VPN" shillings which one cannot verify to be true or false!

THIS is why I am going fucking ballistic on #TechPopulism aiming at #TechIlliterates because it's spreading a "false sense of #security" whilst completely disregarding absolute fundamentals when it comes to the underlying systems.

• And I don't mean shit like #Govware of the #SS7 kind, but absolute basics in #ITsec, #InfoSec, #OpSec & #ComSec that every @cryptoparty@chaos.social / @cryptoparty@mastodon.earth / #CryptoParty worth it's name touches on.
  • Signal can't and won't save peoples' asses and the sooner we realize that "complex problems are hard to fix" the less we waste Resources on #HoneyPots that stench like #CrytpoAG & #ANØM!

@dianea @iode doesn't help in places like the #USA where carriers sell #IMEI & #ICCID data to anyone able to pay their prices.

• Shit that is so illegal in the #EU that businesses can be glad if their CTO doesn't get jailtime for it!

https://infosec.space/@kkarhan/115675597387128140

@adisonverlice even if an #MVNO isn't demanding any #KYC whatsoever (i.e. #prepaid are offered OTC in most juristictions) it's NOT "#Anonymous" but merely #pseudonymous as it's trivial for governments to utilize existing and mandtory "#LawfulInterception" appliances to create that #PII chain.

#PhoneNumber <=> #ICCID (#SIMcard) <=> #IMSI (SIM profile) <=> #IMEI (Phone/...).

So if #Anonymity is important, NONE of these details have to be linked somehow even circumstantial.

• Bought/paid for the phone/SIM/ a single top-up with ec/CC/PayPal/SEPA/… = busted due to circumstantial connection.

• Use the SIM in any device? Consider them circumstantially connected forever: #ICCID <=> #IMEI.

• Same applies to #eSIM|s: #EID <=> #ICCID <=> #IMEI.

Add to the fact that most places have #CCTV, and assume that they'll keep recordings for the maximum permissible duration if not longer and oftentimes even use questionable cloud services and you get the picture.

• I.e. in Germany the maximum permissible storage duration is 72 hours (if nothing hapoens that warrants a longer storage i.e. burglary/theft/robbery/arson/...) so anonymous top-ups would necessitate paying cash at a place one's not been known at (i.e. some kiosk) and waiting at least >72 hours (and checking on the purchase location) before redeeming the top-up code (i.e. dialing *104*1234567890123456# )...

So any #privacy-based service should never ever & under no circumstances demand a Phone Number!

• Instead any privacy-focussed service should use #OnionServices, host their own #OnionService or at least #DontBlockTor and allow users to use it via @torproject / #Tor to use and signup. (But don't forget circumstantial connections there either!)

• Also the less details they want or store and the least traffic they generate the harder it is to correlate traffic & users.

@cryptgoat ja, nur ist es quasi illegal @signalapp / #Signal #anonym (also faktisch nur #pseudonym, weil stets korrelierbar qua #Rufnummer -> #ICCID -> #IMSI -> #IMEI -> #Location) zu nutzen.

• Seit 07/2017 sind anonyme #SIM-Karten faktisch illegal und ne SIM mir Rufnummer ist ne #Paywall die faktisch teurer ist als nen @monocles - Abo.

Allein die notwendigen #Workarounds sind so heftig paywalled dass es eher sinn macht 1h Hands-on - Training zu investieren...

• Von den Problemen die Signal hat ganz zu schweigen...

https://fedifreu.de/@cryptgoat/114705198216850106

@landley @jschauma @ryanc @0xabad1dea yeah, the exhaustion problem would've been shoved back with a #64bit or sufficiently delayed by a 40bit number.

Unless we also hate #NAT and expect every device to have a unique static #IP (which is a #privacy nightmare at best that "#PrivacyExtensions" barely fixed.)

• I mean they could've also gone the #DECnet approach and use the #EUI48 / #MAC-Address (or #EUI64) as static addressing system, but that would've made #vendors and not #ISPs the powerful forces of allocation. (Similar to how technically the #ICCID dictates #GSM / #4G / #5G access and not the #IMEI unless places like Australia ban imported devices.

I guess using a #128bit address space was inspired by #ZFS doing the same before, as the folks who designed both wanted to design a solution that clearly will outlive them (way harder than COBOL has outlived Grace Hopper)...

• Personally I've only had headaches with #IPv6 because not only do I only have #IPv4only #Internet but my #ISP refuses to allocate even a singe /64 to me (but has no problem throwing in a free /29 of #IPv4's in with my contract!)and stuff like #HurricaneElectric / #HEnet's #Tunnelbroker fail face first due to #Geoblocking and the fact that #ASNs get geolocated, not their #PoPs...

If I was @BNetzA I would've mandated #DualStack and banned #CGNAT (or at least the use of CGNAT in #RFC1918 address spaces) as well as #DualStackLite!

@bob_zim yeah. Seen it. in the writeup by @micahflee ...

I just hope to find any that ain't #NetLock'd / #SimLock'd to #Verizon and that these support more than #US-#LTE bands...

• Not shure if it needs a valid #SIM or just an #ICCID + #Ki on a #SIM to get going (cuz in #Germany it's hard [imported #SIM] to illegal [domestic SIMs] to get an anonymous SIM since 07/2017.

I just wish @eff wouldn't expect everyone to use #centralized, #SingleVendor & #SingleProvider services like @signalapp in the age of #CloudAct, cuz neither I nor anyone I'd trust would submit #PII to them like a #PhoneNumer as a matter of principle!

@tauon

1) #CloudAct is just #CyberFacism, look it up!
https://en.wikipedia.org/wiki/CLOUD_Act

• And with #Trumpism ravaging the #USA must be considered as #hostile as #Russia and the "P.R." #China by anyone who takes #OpSec, #InfoSec & #ComSec seriously!

-

2) @signalapp 's #Server code is proprietary and since it's centralized we can't trust that the code they release is what's running on their backend!

• Plus their #App doesn't allow #ReproducibleBuilds (if Signal was #FLOSS it would be on @fdroidorg / #Fdroid) but alas it isn't!

-

3) #Signal still demands #PhoneNumbers which are #PII either by association (#Number => #ICCID = #SIM = #IMSI => #IMEI => Location Data as I explained beforetwice) or mandatory #KYC / #ID requirements (even on prepaid cards), which an increasing amount of juristictions do...

• They have no "#LegitimateInterest" demanding said #PersonallyIdentifyingInformation to begin with!

-

But don't take my word for it.
https://www.youtube.com/watch?v=tJoO2uWrX1M

• Ask yourself if you'd trust someone peddlibg #Shitcoin #Scams like #MobileCoin with your data!

Question to my fellow #telecommunication nerds: Does anyone know who is maintaining the #ICCID prefix list nowadays? The #ITU-T seems to have lost interest and the last document [1] I could find is from 2018 and misses some MNOs I'm looking for...

1. https://www.itu.int/pub/T-SP-E.118-2018