Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update!: Add Phone Service Providers #2099

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Conversation

jonaharagon
Copy link
Member

@jonaharagon jonaharagon commented Mar 22, 2023

Changes proposed in this PR:

  • Adds phone number provider page
  • Replaces duplicate images with symlinks

Closes: #2009

To-do list:

  • Criteria
  • JMP.chat logo
  • MySudo logo
  • Hushed logo
  • Cheogram logo
  • VOIPSuite logo
  • Silent Link Logo
  • PGPP Logo
  • I have disclosed any relevant conflicts of interest in my post.
  • I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
  • I am the sole author of this work.
  • I agree to the Community Code of Conduct.

@jonaharagon jonaharagon added the c:providers service providers and similar centralized/federated services label Mar 22, 2023
@jonaharagon jonaharagon requested a review from dngray March 22, 2023 15:34
@netlify
Copy link

netlify bot commented Mar 22, 2023

Deploy Preview for privacyguides ready!

Name Link
🔨 Latest commit 0fbb534
🔍 Latest deploy log https://app.netlify.com/sites/privacyguides/deploys/641c7e2a105c2f0008668430
😎 Deploy Preview https://deploy-preview-2099--privacyguides.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

docs/tools.md Outdated Show resolved Hide resolved
@jonaharagon jonaharagon marked this pull request as draft March 22, 2023 16:57
jonaharagon added a commit that referenced this pull request Mar 22, 2023
@dngray
Copy link
Member

dngray commented Mar 23, 2023

One of the advantages of telnum.net is they take monero which I'm not aware of the others doing.

Their once-use disposable SMS numbers are useful for things like Discord. Some rooms there require a set phone number. Discord does do some checking to see if it's a VOIP number, and you don't get charged if no SMS is received from the VOIP number, so you can just try again.

@jonaharagon
Copy link
Member Author

There is also https://silent.link/

@ph00lt0
Copy link
Member

ph00lt0 commented Mar 23, 2023

There is also https://silent.link/

Silient Link however interresting is not VOIP but a regular esim. Would maybe fall in a data category with PGPP by invisv

@ph00lt0
Copy link
Member

ph00lt0 commented Mar 23, 2023

One of the advantages of telnum.net is they take monero which I'm not aware of the others doing.

Their once-use disposable SMS numbers are useful for things like Discord. Some rooms there require a set phone number. Discord does do some checking to see if it's a VOIP number, and you don't get charged if no SMS is received from the VOIP number, so you can just try again.

I am not sure if we should recommend disposable numbers, it may link you to others which could be an issue if used for criminal activity and you therefore become a target. In addition we have seen that often numbers get tight to accounts for 2FA even if the users do not know this. So you will be locked out of your account. It is not always possible to see this consequence in advance.

@ph00lt0
Copy link
Member

ph00lt0 commented Mar 23, 2023

Thanks for adding the criteria @jonaharagon!

i still think we need to warn users about the trackers in the Hushed app. And I really wonder why Google Voice is not on the list. For all I see this is the most stable option on Android if you live in the right area.

@jonaharagon
Copy link
Member Author

@ph00lt0 see: https://github.com/privacyguides/privacyguides.org/pull/2099/files#diff-1e0a622877fe626bbe5eceee6525b85baed7d4eaf7addea856f4f04b6eaac7f1R77-R79

Google Voice doesn't meet at least two of our criteria. I'm not interested in recommending less privacy-respecting providers on a cost-basis alone, which seems to be the only advantage it has.

@jonaharagon
Copy link
Member Author

After researching PGPP a bit more I think that the concerns about it I had in https://github.com/privacyguides/privacyguides.org/discussions/1615#discussioncomment-3355447 are correct, I'm not going to include them.

I did initially think that PGPP might still provide protection against third-party IMSI-catchers like Stingrays even though it doesn't protect against network operator tracking, but even in that case it appears that more advanced catchers can track IMEI numbers as well, which is the whole problem anyways.

jonaharagon added a commit that referenced this pull request Mar 23, 2023
@ph00lt0
Copy link
Member

ph00lt0 commented Mar 23, 2023

After researching PGPP a bit more I think that the concerns about it I had in #1615 (comment) are correct, I'm not going to include them.

I did initially think that PGPP might still provide protection against third-party IMSI-catchers like Stingrays even though it doesn't protect against network operator tracking, but even in that case it appears that more advanced catchers can track IMEI numbers as well, which is the whole problem anyways.

To be clear, since the launch I have been very sceptical of PGPP and especially on their claims. But one thing they do well is that using cryptogaphy they made it impossible to figure out who pays for which subscription. This could still be a huge advantage that I have not seen elsewhere.

I was actually arguing a long time against PGPP' feature to automatically change IMSI numbers as tbh I think this only makes you more visisble. If I were some 3 letter agency I would be looking for IMEI number that regularly change IMSI.

@jonaharagon
Copy link
Member Author

But one thing they do well is that using cryptogaphy they made it impossible to figure out who pays for which subscription. This could still be a huge advantage that I have not seen elsewhere.

I'm unsure how this is an advantage over paying for Silent Link with Monero?

@ph00lt0
Copy link
Member

ph00lt0 commented Mar 23, 2023

But one thing they do well is that using cryptogaphy they made it impossible to figure out who pays for which subscription. This could still be a huge advantage that I have not seen elsewhere.

I'm unsure how this is an advantage over paying for Silent Link with Monero?

Because getting monero requires KYC giving vague companies pasport copies. Impossible to obtain in a sensible way. It surely isn't worse than paying with crypto.

jonaharagon added a commit that referenced this pull request Mar 23, 2023
@jonaharagon
Copy link
Member Author

Okay, I'm following you. I added PGPP with the requisite warnings for review, it does seem like there is at least one compelling use-case. I also like that they have unlimited data.

@jonaharagon jonaharagon changed the title VoIP Providers Add Phone Service Providers Mar 23, 2023
jonaharagon added a commit that referenced this pull request Mar 23, 2023
@ph00lt0
Copy link
Member

ph00lt0 commented Mar 31, 2023

https://ockham-solutions.fr/site/en/products/mercure/mercure-v4.html

Just for reference shows why IMSI changing is ineffective.

@jonaharagon jonaharagon self-assigned this May 22, 2024
Comment on lines +159 to +185
### Pretty Good Phone Privacy

!!! danger

PGPP makes some claims about how their mobile network does not require trust in Invisv as a network provider, but they are not entirely accurate. Make sure you read this entry entirely before determining whether PGPP makes sense for you.

This is our favorite cell service option if you want to pay with traditional payment methods, or need unlimited mobile data.

!!! recommendation

**Pretty Good Phone Privacy** (**PGPP**) is a data-only eSIM service from Invisv, which can be paired with any recommended VoIP provider above for voice/SMS service.

[:octicons-home-16: Homepage](https://invisv.com/pgpp/){ .md-button .md-button--primary }
[:octicons-info-16:](https://www.usenix.org/system/files/sec21-schmitt.pdf){ .card-link title=Documentation}

??? downloads

- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.invisv.pgpp)
- [:simple-android: Android](https://invisv.com/articles/pgpp-updates.html#f-droid-and-apk)

Invisv does collect your billing information through Stripe, their payment processor. However, PGPP's use of [blinded tokens](https://en.wikipedia.org/wiki/Blind_signature) for network authentication mean that Invisv cannot tie that billing information to your device. In other words, Invisv would be able to tell that "John Doe" has a PGPP account, but would not be able to determine which phone on their network belongs to "John Doe."

Invisv additionally claims that your device cannot be tracked by the network because they periodically randomize your IMSI number, the identifier tied to your SIM card used to identify a subscriber. ==Unfortunately, this practice alone does **not** thwart device tracking.== Another identifier sent to networks is the IM**E**I number, the identifier tied to your phone hardware. You can think of an IMEI as your phone's "[MAC Address](os/linux-overview.md#mac-address-randomization)," except unlike with Wi-Fi/Ethernet MAC Addresses, randomizing or spoofing the IMEI is not possible and even illegal in certain countries.

Therefore, unless you *also* physically swap your phone hardware every few days, ==it would be trivial for the network operator to build a location profile of a specific device despite IMSI randomization, because your IMEI is a static identifier visible to the network.== Additionally, PGPP will not even protect against anything but the most basic third-party [IMSI-catchers](https://en.wikipedia.org/wiki/IMSI-catcher), because most modern IMSI-catchers can track IMEI as well.

This service requires an eSIM compatible Android phone, like the [Google Pixel](android.md#android-devices).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Invisv recently announced the shutdown of PGPP on their blog: https://invisv.com/articles/service_shutdown.html

Suggested change
### Pretty Good Phone Privacy
!!! danger
PGPP makes some claims about how their mobile network does not require trust in Invisv as a network provider, but they are not entirely accurate. Make sure you read this entry entirely before determining whether PGPP makes sense for you.
This is our favorite cell service option if you want to pay with traditional payment methods, or need unlimited mobile data.
!!! recommendation
**Pretty Good Phone Privacy** (**PGPP**) is a data-only eSIM service from Invisv, which can be paired with any recommended VoIP provider above for voice/SMS service.
[:octicons-home-16: Homepage](https://invisv.com/pgpp/){ .md-button .md-button--primary }
[:octicons-info-16:](https://www.usenix.org/system/files/sec21-schmitt.pdf){ .card-link title=Documentation}
??? downloads
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.invisv.pgpp)
- [:simple-android: Android](https://invisv.com/articles/pgpp-updates.html#f-droid-and-apk)
Invisv does collect your billing information through Stripe, their payment processor. However, PGPP's use of [blinded tokens](https://en.wikipedia.org/wiki/Blind_signature) for network authentication mean that Invisv cannot tie that billing information to your device. In other words, Invisv would be able to tell that "John Doe" has a PGPP account, but would not be able to determine which phone on their network belongs to "John Doe."
Invisv additionally claims that your device cannot be tracked by the network because they periodically randomize your IMSI number, the identifier tied to your SIM card used to identify a subscriber. ==Unfortunately, this practice alone does **not** thwart device tracking.== Another identifier sent to networks is the IM**E**I number, the identifier tied to your phone hardware. You can think of an IMEI as your phone's "[MAC Address](os/linux-overview.md#mac-address-randomization)," except unlike with Wi-Fi/Ethernet MAC Addresses, randomizing or spoofing the IMEI is not possible and even illegal in certain countries.
Therefore, unless you *also* physically swap your phone hardware every few days, ==it would be trivial for the network operator to build a location profile of a specific device despite IMSI randomization, because your IMEI is a static identifier visible to the network.== Additionally, PGPP will not even protect against anything but the most basic third-party [IMSI-catchers](https://en.wikipedia.org/wiki/IMSI-catcher), because most modern IMSI-catchers can track IMEI as well.
This service requires an eSIM compatible Android phone, like the [Google Pixel](android.md#android-devices).

@jonaharagon jonaharagon changed the title Add Phone Service Providers update!: Add Phone Service Providers Aug 2, 2024
@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/voip-cell-comms-knowledge-base-article/20635/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c:providers service providers and similar centralized/federated services
Projects
Status: Ready
Status: Unreviewed
Development

Successfully merging this pull request may close these issues.

VOIP Providers
8 participants