-
-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update!: Add Phone Service Providers #2099
base: main
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for privacyguides ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
c7d28bc
to
ea69981
Compare
One of the advantages of telnum.net is they take monero which I'm not aware of the others doing. Their once-use disposable SMS numbers are useful for things like Discord. Some rooms there require a set phone number. Discord does do some checking to see if it's a VOIP number, and you don't get charged if no SMS is received from the VOIP number, so you can just try again. |
There is also https://silent.link/ |
Silient Link however interresting is not VOIP but a regular esim. Would maybe fall in a data category with PGPP by invisv |
I am not sure if we should recommend disposable numbers, it may link you to others which could be an issue if used for criminal activity and you therefore become a target. In addition we have seen that often numbers get tight to accounts for 2FA even if the users do not know this. So you will be locked out of your account. It is not always possible to see this consequence in advance. |
Thanks for adding the criteria @jonaharagon! i still think we need to warn users about the trackers in the Hushed app. And I really wonder why Google Voice is not on the list. For all I see this is the most stable option on Android if you live in the right area. |
@ph00lt0 see: https://github.com/privacyguides/privacyguides.org/pull/2099/files#diff-1e0a622877fe626bbe5eceee6525b85baed7d4eaf7addea856f4f04b6eaac7f1R77-R79 Google Voice doesn't meet at least two of our criteria. I'm not interested in recommending less privacy-respecting providers on a cost-basis alone, which seems to be the only advantage it has. |
After researching PGPP a bit more I think that the concerns about it I had in https://github.com/privacyguides/privacyguides.org/discussions/1615#discussioncomment-3355447 are correct, I'm not going to include them. I did initially think that PGPP might still provide protection against third-party IMSI-catchers like Stingrays even though it doesn't protect against network operator tracking, but even in that case it appears that more advanced catchers can track IMEI numbers as well, which is the whole problem anyways. |
ea69981
to
2b3fadd
Compare
To be clear, since the launch I have been very sceptical of PGPP and especially on their claims. But one thing they do well is that using cryptogaphy they made it impossible to figure out who pays for which subscription. This could still be a huge advantage that I have not seen elsewhere. I was actually arguing a long time against PGPP' feature to automatically change IMSI numbers as tbh I think this only makes you more visisble. If I were some 3 letter agency I would be looking for IMEI number that regularly change IMSI. |
I'm unsure how this is an advantage over paying for Silent Link with Monero? |
Because getting monero requires KYC giving vague companies pasport copies. Impossible to obtain in a sensible way. It surely isn't worse than paying with crypto. |
2b3fadd
to
d705c18
Compare
Okay, I'm following you. I added PGPP with the requisite warnings for review, it does seem like there is at least one compelling use-case. I also like that they have unlimited data. |
d705c18
to
94b708f
Compare
94b708f
to
0fbb534
Compare
https://ockham-solutions.fr/site/en/products/mercure/mercure-v4.html Just for reference shows why IMSI changing is ineffective. |
a45aaa2
to
4c805da
Compare
e124ecf
to
82ab189
Compare
0a94f3f
to
d80af39
Compare
### Pretty Good Phone Privacy | ||
|
||
!!! danger | ||
|
||
PGPP makes some claims about how their mobile network does not require trust in Invisv as a network provider, but they are not entirely accurate. Make sure you read this entry entirely before determining whether PGPP makes sense for you. | ||
|
||
This is our favorite cell service option if you want to pay with traditional payment methods, or need unlimited mobile data. | ||
|
||
!!! recommendation | ||
|
||
**Pretty Good Phone Privacy** (**PGPP**) is a data-only eSIM service from Invisv, which can be paired with any recommended VoIP provider above for voice/SMS service. | ||
|
||
[:octicons-home-16: Homepage](https://invisv.com/pgpp/){ .md-button .md-button--primary } | ||
[:octicons-info-16:](https://www.usenix.org/system/files/sec21-schmitt.pdf){ .card-link title=Documentation} | ||
|
||
??? downloads | ||
|
||
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.invisv.pgpp) | ||
- [:simple-android: Android](https://invisv.com/articles/pgpp-updates.html#f-droid-and-apk) | ||
|
||
Invisv does collect your billing information through Stripe, their payment processor. However, PGPP's use of [blinded tokens](https://en.wikipedia.org/wiki/Blind_signature) for network authentication mean that Invisv cannot tie that billing information to your device. In other words, Invisv would be able to tell that "John Doe" has a PGPP account, but would not be able to determine which phone on their network belongs to "John Doe." | ||
|
||
Invisv additionally claims that your device cannot be tracked by the network because they periodically randomize your IMSI number, the identifier tied to your SIM card used to identify a subscriber. ==Unfortunately, this practice alone does **not** thwart device tracking.== Another identifier sent to networks is the IM**E**I number, the identifier tied to your phone hardware. You can think of an IMEI as your phone's "[MAC Address](os/linux-overview.md#mac-address-randomization)," except unlike with Wi-Fi/Ethernet MAC Addresses, randomizing or spoofing the IMEI is not possible and even illegal in certain countries. | ||
|
||
Therefore, unless you *also* physically swap your phone hardware every few days, ==it would be trivial for the network operator to build a location profile of a specific device despite IMSI randomization, because your IMEI is a static identifier visible to the network.== Additionally, PGPP will not even protect against anything but the most basic third-party [IMSI-catchers](https://en.wikipedia.org/wiki/IMSI-catcher), because most modern IMSI-catchers can track IMEI as well. | ||
|
||
This service requires an eSIM compatible Android phone, like the [Google Pixel](android.md#android-devices). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Invisv recently announced the shutdown of PGPP on their blog: https://invisv.com/articles/service_shutdown.html
### Pretty Good Phone Privacy | |
!!! danger | |
PGPP makes some claims about how their mobile network does not require trust in Invisv as a network provider, but they are not entirely accurate. Make sure you read this entry entirely before determining whether PGPP makes sense for you. | |
This is our favorite cell service option if you want to pay with traditional payment methods, or need unlimited mobile data. | |
!!! recommendation | |
**Pretty Good Phone Privacy** (**PGPP**) is a data-only eSIM service from Invisv, which can be paired with any recommended VoIP provider above for voice/SMS service. | |
[:octicons-home-16: Homepage](https://invisv.com/pgpp/){ .md-button .md-button--primary } | |
[:octicons-info-16:](https://www.usenix.org/system/files/sec21-schmitt.pdf){ .card-link title=Documentation} | |
??? downloads | |
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.invisv.pgpp) | |
- [:simple-android: Android](https://invisv.com/articles/pgpp-updates.html#f-droid-and-apk) | |
Invisv does collect your billing information through Stripe, their payment processor. However, PGPP's use of [blinded tokens](https://en.wikipedia.org/wiki/Blind_signature) for network authentication mean that Invisv cannot tie that billing information to your device. In other words, Invisv would be able to tell that "John Doe" has a PGPP account, but would not be able to determine which phone on their network belongs to "John Doe." | |
Invisv additionally claims that your device cannot be tracked by the network because they periodically randomize your IMSI number, the identifier tied to your SIM card used to identify a subscriber. ==Unfortunately, this practice alone does **not** thwart device tracking.== Another identifier sent to networks is the IM**E**I number, the identifier tied to your phone hardware. You can think of an IMEI as your phone's "[MAC Address](os/linux-overview.md#mac-address-randomization)," except unlike with Wi-Fi/Ethernet MAC Addresses, randomizing or spoofing the IMEI is not possible and even illegal in certain countries. | |
Therefore, unless you *also* physically swap your phone hardware every few days, ==it would be trivial for the network operator to build a location profile of a specific device despite IMSI randomization, because your IMEI is a static identifier visible to the network.== Additionally, PGPP will not even protect against anything but the most basic third-party [IMSI-catchers](https://en.wikipedia.org/wiki/IMSI-catcher), because most modern IMSI-catchers can track IMEI as well. | |
This service requires an eSIM compatible Android phone, like the [Google Pixel](android.md#android-devices). |
This pull request has been mentioned on Privacy Guides. There might be relevant details there: https://discuss.privacyguides.net/t/voip-cell-comms-knowledge-base-article/20635/1 |
Changes proposed in this PR:
Closes: #2009
To-do list: