The New Oil

Imagine this: you walk into a casual dining restaurant for dinner with some friends. The host informs you that there's a short wait for a table – about fifteen or twenty minutes – but they can let you know what the table's ready. They ask for your social security number and without so much as a thought you hand it over. The host scribbles it down on a notepad and says they'll call out your last four when your table is ready.

That sounds insane, right? And yet, that's kind of what a lot of us do regularly with our phone numbers, handing them out willy-nilly at the drop of a hat to anyone who asks. My exaggeration in this case is pretty mild. Not convinced? Don't worry. Not only will I convince you in this blog post, but I'll also show you how to protect yourself and how to do so for free, no less.

How We Got Here

When I was a kid, the idea that your phone number could someday become on par with your SSN seemed outlandish. It's hard for me to pinpoint an exact day or event that solidified this phenomenon, but I personally would attribute it to two greater societal trends: the ubiquity of mobile phones, and the ease of porting numbers. Perhaps I'm dating myself, but I remember a time before everyone and their five-year-old had a mobile phone. Even once phones started to become more widely adopted – and features like SMS and cameras began to trickle out (and SMS costed money back then, too) – transferring your number from one carrier to another remained such a pain that it was often easier to simply get a whole new phone clean and then let all your contacts know the new number. (Excuse me, I feel old and need to go take my nap before I catch reruns of Murder She Wrote.)

Eventually there was a tipping point where smartphones became common and with every carrier competing for customers, porting your number became as easy as telling the sales guy at the phone store that you wanted to transfer everything. I think that's really when phone numbers started to become permanent, static, unique identifiers. I personally had my last phone number for well over a decade before I finally got rid of cell service altogether in favor of the “living on Wi-Fi 24/7” model.

That's When The Tracking Started

The problem with most modern tech company business models is that unchecked human greed will always enshittify. Once people started keeping the same number – because it was free and convenient – it was only a matter of time before companies realized that this could be not just another way to track us, but a very effective one, too. In many parts of the world, getting a SIM card requires handing over identification, but even for those of us who don't need ID, most folks never feel the need to have more than one SIM card – why pay so much for something you rarely use and can only have active one-at-a-time? Compare this to something like email address, which costs nothing and you can easily load several accounts into a single app at once (many people are already used to having – for example – a personal email account and one provided by their employer, or even more than that). What makes phone numbers even better than something like an SSN or driver's license number is the fact that phone numbers aren't considered “PII” (or “personally identifiable information”) and thus are less regulated or scrutinized by lawyers than something like date of birth or SSN.

So now we have a – for all intents and purposes – mostly permanent, legally unregulated unique ID for nearly every citizen of any developed country. What could go wrong?

The Problems

You pretty much can't exist online these days without a phone number (and these days it's nearly impossible to exist offline without some degree of internet involvement). You need one to complete an online purchase, sign up for most mainstream social media platforms, or receive two-factor authentication (2FA) codes (more on that later). But every time you hand over that phone number, you're likely feeding the data machine. Because a company's sole fiduciary duty is to make as much money as possible, many of them “double dip.” Aside from whatever service they might provide you – like online shopping – many sites will have additional revenue streams like selling your data to brokers such as LexisNexis or Axciom. And even if they don't, they probably have ads, which – shocker – are basically just a secret backdoor for data brokers to collect your data. You see, data is sort of a pyramid scheme aimed at funneling all your data to the top where a small handful of companies compile massive dossiers on you, which they in turn sell to other people for a wide range of uses from advertising campaigns to background checks to employment eligibility and more. All of this without your meaningful consent and often completely invisible to you, with virtually no say or control over it.

But wait, there's more! I meet a lot of people who seem to not care if a company has their data, as long as individuals don't (which makes no sense since companies are made up of individuals, but I digress). They seem to think that because a company is hoarding the data, that somehow means it's got at least some level of access control. But that's rarely true, especially in the case of something like a phone number. There's countless “people search” websites – like Spokeo, BeenVerified, and innumerable others – who can return a wealth of information about you with just a single piece of information like a name or phone number. They can return current and former addresses, phone numbers, email addresses, sometimes even family members or political affiliations. And maybe one website has a few details off, but typically a malicious person (like a stalker or harasser) who knows even the basics of what they're doing will check several websites to confirm information or see what overlaps they can find (one site might redact part of your address but another won't, for example).

This is all just the legal, “playing by the rules” stuff, too. This doesn't account for things like data breaches that leak your phone number and websites that abuse API access to let you figure out all the sites someone has an account on using just a single data point such as username, phone number, or email address.

And that's to say nothing of the security aspect of things. Earlier I mentioned how a common 2FA method is having a code texted to you. Well, perhaps you've heard of SIM-swapping, where an attacker convinces your cell carrier (which can be easily determined via those people search sites I mentioned) that they're you, that you have a new phone, and that they need the phone number ported over to the new device. Once the carrier does this, they can receive all your text messages, including 2FA codes for logging in, or nearly anything else that requires them to prove they're you (except for major legal stuff) because – again, I cannot stress this enough – your phone number has evolved into a unique identifier that people just trust. You have control of that phone number, therefore you must be you.

The Way Out

While phone number tracking presents some unique challenges compared to other identifiers like usernames and email (which can be more easily and freely adjusted for), thankfully there a plethora of options.

The first and easiest way to protect your phone number is to simply to stop handing it out when asked. I have made many purchases where they ask for a phone number at checkout, the idea being that they can look up the receipt if I need to return anything, but instead I politely say “no thanks, please print a receipt” will often get met with an indifferent “okay.” Similarly, when going out to eat, telling the host or hostess “It's okay, we'll be right here in the lobby, please just let me know when the table's ready” is often met with the same response (assuming they don't tell you to just download the app and check in right there, but that's another blog post for another day). Many places still offer analog ways of accomplishing the task in question without violating your privacy, all you have to do is politely advocate for yourself.

Some situations however, “require” a phone number. I'm thinking specifically of online services such as e-commerce, who demand a phone number to complete the order despite the fact they will never call you if there's a problem, they'll always email you instead. I prefer to use fake phone numbers for these situations. There's a host of options. The most well known is 867-5309 (which you can often successfully use at any given store that asks for a rewards number), while my personal favorite is (248) 434-5508, which plays Rick Astley's “Never Gonna Give You Up” on a loop. There's plenty of other joke or dead phone numbers you can find online, or you can always pick a real phone number to a business such as a hotel or pizza delivery place. (If you go with a business number, please try to pick a phone number that goes to an automated line – such as tech support or customer service – rather than one that will go straight to a real person. No need to ruin some innocent person's day who's just trying to do their job.)

Now we come to situations where you actually need a functional phone number you can control in your day-to-day life such as for work or keeping in touch with loved ones. In these cases, I would recommend becoming familiar with Voice-over-IP (or “VoIP”). VoIP services are harder to SIM-swap than traditional SIM cards, and because almost none of them require ID they aren't directly tied to your real name the same way a SIM phone number would be (though you should be aware that it can still show up on people search sites alongside your real name through other means). Unfortunately, nearly all VoIP services cater exclusively to the United States (or a handful of other English-speaking countries), and those present in other countries often cost a significant amount, so in some countries your best middle ground may be to use an eSIM instead of a traditional SIM card. eSIMs are becoming increasingly supported in modern phones, and are also harder to swap than traditional SIM cards for a variety of reasons.

One possible low-cost way of using VoIP could be to use a VoIP number for public-facing things (such as work or e-commerce) while reserving your actual SIM number for close friends and family. This would help create some separation between your work and professional lives. Some people opt to use a VoIP number exclusively for 2FA codes, account recovery methods, or sensitive use-cases such as banking because of the enhanced security and their SIM number for everything else. In a perfect world, you would've already convinced all your close friends and family to use an encrypted, privacy-respecting messenger like Signal, Session, or Simplex to chat with you, thus essentially freeing up at least one phone number for use (or least reducing your dependency on your one phone number). There's an infinite number of ways to configure things even with only a single free number, it really all comes down to your needs and threat model.

The free way to get started with VoIP is Google Voice, which offers one free number to users and can forward directly to your phone so you don't need a Google app. However, if you have the funds, there's tons of other options – like MySudo or Hushed – that will offer things like more phone numbers or a Google-free app. There's even services like Firefox Relay or Cloaked that can help mask your phone number, however you should be aware that the functionality of these services is severely limited (for example, you may not be able to make outgoing calls or send SMS messages, only receive them). These are useful services, but only for specific use-cases.

On the topic of 2FA and security, one great way to start protecting yourself from phone-number-based risks is to start migrating your security posture away from phone numbers. Use TOTP instead of 2FA (more on that here), pick an email address instead of a phone number for recovery methods (then protect that email address accordingly), things like that. This will reduce your phone number exposure while also offering superior security. This way, even if you did fall prey to a SIM-swapping attack (for example), the damage would be minimized.

A final tip – which is definitely not free – is to get your phone anonymously where possible. While the US doesn't require an ID for a phone number, the default action for most people is simply to buy an expensive phone on a contract so that you end up paying an extra $100/month for the next two years instead of having to drop $1500 on a brand new iPhone up front. The advantage of buying up front, however, is that you don't have to submit to a credit check or sign a contract or stay locked into a single carrier. You can buy the phone without ever having to hand over identifying information and get service from a much cheaper MVNO (mobile virtual network operator) like Mint or Visible. In the case of Pixel phones, your phone is also unlocked from the start, allowing you to do things like install a privacy-respecting custom operating system. (Do your research on this, I hear a lot of claims that some carriers like Verizon don't allow OEM unlocking no matter what.)

What Have We Accomplished?

None of the advice I've given here actually solves the root issue of “your phone number ending up on a people search website.” However, we have created several helpful layers of protection:

1. Compartmentalization. We've created a boundary between different areas of your life – personal and professional or sensitive and lower-risk, for example. This way people who try to abuse your phone number will find themselves limited in how much damage they can do or unable to find what they're looking for in the first place.
2. Enhanced security. Thanks to the use of tools like VoIP and eSIMs – alongside other things like TOTP – you've hardened yourself against people who would try to take over your phone number and thus other aspects of your digital life.
3. Privacy. In the case of an anonymous phone plan, you actually have created a good layer of protection between your name and your phone number – at least, by default. If you buy a phone plan on credit and tie your real name to it, they're automatically correlated. With an anonymous phone plan, there are still lots of ways those numbers can be tied together, but they're mostly up to you at that point and practicing a lot of the advice I gave in this article.

If you really wanted to go the extra mile, you could couple these strategies with a data removal service to help scrub your existing data from people search sites, making it even harder for malicious actors to find and abuse your data. A quick caveat though: I wouldn't recommend just signing up for one of these services and calling it a day. These services aren't always perfect and they won't do anything about data breaches or other illegal sources of data.

Even if you should decide to continue to use a single SIM phone number, I hope this blog post has at least helped you become aware of how this can be used to invade your privacy, and I hope you'll take at least the basic steps to protect yourself such as handing out your phone number less often and switching over to TOTP 2FA. I'm a firm believer that privacy is a spectrum, and every little step that moves you in the “more safe” direction is a positive one. But ultimately it's on you to decide what the right level of action is for you and take those steps.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...