[{"data":1,"prerenderedAt":189},["ShallowReactive",2],{"post-\u002Fblog\u002Fsms":3},{"id":4,"title":5,"body":6,"date":179,"description":180,"extension":181,"meta":182,"navigation":183,"path":184,"seo":185,"sitemap":186,"stem":187,"__hash__":188},"blog\u002Fblog\u002Fsms.md","Your Phone Number is a Snitch",{"type":7,"value":8,"toc":171},"minimark",[9,13,16,22,27,30,33,36,40,43,46,49,53,56,59,63,66,141,146,168],[10,11,12],"p",{},"Most \"secure\" apps protect what you say but broadcast exactly who you are. Privacy is a dead end if it starts with a SIM card.",[10,14,15],{},"We’ve traded anonymity for a \"frictionless\" onboarding process that treats your phone number as a permanent, global ID. It’s the ultimate metadata leak, and most users are too lazy to care.",[17,18,19],"blockquote",{},[10,20,21],{},"\"Encryption hides the message, but the phone number reveals the target. You can’t be private if you aren't anonymous.\"\n— Anonymous",[23,24,26],"h2",{"id":25},"the-onboarding-trap","The Onboarding Trap",[10,28,29],{},"The primary reason apps like Signal, Telegram, or WhatsApp demand your number is simple: growth. Using your contact list to \"find friends\" creates a viral loop that makes user acquisition free.",[10,31,32],{},"This \"discovery\" feature is a privacy nightmare. When you sync your contacts, you are uploading the social graph of everyone you know—including people who never consented to be on the platform—to a central server.",[10,34,35],{},"Hashing those numbers (SHA-256) is a joke. Since the search space for phone numbers is tiny (about combinations), any script-kiddie can rainbow-table the hashes back to raw numbers in minutes.",[23,37,39],{"id":38},"the-kyc-backdoor","The KYC Backdoor",[10,41,42],{},"In most jurisdictions, a phone number is a government-issued ID. Between SIM registration laws and credit card billing, your number is hard-linked to your legal name and physical address.",[10,44,45],{},"By requiring a number, \"secure\" apps inherit the surveillance state’s existing database. If a state actor wants to know who @CyberGhost is, they don't need to break the encryption; they just need to subpoena the carrier for the owner of the number.",[10,47,48],{},"It’s an architectural choice to prioritize convenience over actual threat modeling. If you can't sign up via a random string of characters or an onion address, the app isn't built for your safety—it’s built for its own scale.",[23,50,52],{"id":51},"the-ss7-and-sim-swap-risk","The SS7 and SIM Swap Risk",[10,54,55],{},"Relying on a phone number means your account security is only as strong as a telco’s minimum-wage customer rep. SIM swapping is a trivial exploit that bypasses your \"secure\" encryption by hijacking the account recovery process.",[10,57,58],{},"Furthermore, the SS7 protocol used by global roaming networks is a sieve. State actors can intercept SMS verification codes before they even reach your device, making \"secure\" account creation a theater of security.",[23,60,62],{"id":61},"why-it-matters-how-to-use-it","Why it matters \u002F How to use it",[10,64,65],{},"If you actually need to vanish, stop using apps that require a SIM. You need systems that decouple identity from hardware.",[67,68,69,85],"table",{},[70,71,72],"thead",{},[73,74,75,79,82],"tr",{},[76,77,78],"th",{},"Protocol",[76,80,81],{},"ID Type",[76,83,84],{},"Metadata Leak",[86,87,88,103,115,128],"tbody",{},[73,89,90,97,100],{},[91,92,93],"td",{},[94,95,96],"strong",{},"Signal",[91,98,99],{},"Phone Number",[91,101,102],{},"High (Social Graph)",[73,104,105,110,112],{},[91,106,107],{},[94,108,109],{},"WhatsApp",[91,111,99],{},[91,113,114],{},"Extreme (Everything but the text)",[73,116,117,122,125],{},[91,118,119],{},[94,120,121],{},"Session",[91,123,124],{},"Session ID (Pubkey)",[91,126,127],{},"Near Zero (Onion Routed)",[73,129,130,135,138],{},[91,131,132],{},[94,133,134],{},"SimpleX",[91,136,137],{},"No Global ID",[91,139,140],{},"Zero (Pairwise keys)",[10,142,143],{},[94,144,145],{},"The Protocol Choice:",[147,148,149,156,162],"ol",{},[150,151,152,155],"li",{},[94,153,154],{},"SimpleX Chat:"," It uses no identifiers at all. Not even a random ID. Every connection is a unique cryptographic pair.",[150,157,158,161],{},[94,159,160],{},"Session:"," Uses the Oxen Service Node Network to onion-route your messages. Your ID is just a public key.",[150,163,164,167],{},[94,165,166],{},"Matrix (with caveats):"," Can be run without a number if the homeserver allows it, but metadata remains a concern depending on the host.",[10,169,170],{},"Identity is the only metadata that truly matters. If you give them your number, you’ve already lost the game.",{"title":172,"searchDepth":173,"depth":173,"links":174},"",2,[175,176,177,178],{"id":25,"depth":173,"text":26},{"id":38,"depth":173,"text":39},{"id":51,"depth":173,"text":52},{"id":61,"depth":173,"text":62},"2026-01-13","Why secure messaging fails at identity","md",{},true,"\u002Fblog\u002Fsms",{"title":5,"description":180},{"loc":184},"blog\u002Fsms","2CiAAIUp4SEECorCK8uT2D_R3IcssH0jlrhm8OqH-4U",1783186628091]