[{"data":1,"prerenderedAt":9},["ShallowReactive",2],{"post-\u002Fblog\u002Fsms":3},{"path":4,"title":5,"description":6,"date":7,"rawbody":8},"\u002Fblog\u002Fsms","Your Phone Number is a Snitch","Why secure messaging fails at identity","2026-01-13","---\ntitle: 'Your Phone Number is a Snitch'\ndescription: 'Why secure messaging fails at identity'\ndate: '2026-01-13'\n---\n\nMost \"secure\" apps protect what you say but broadcast exactly who you are. Privacy is a dead end if it starts with a SIM card.\n\nWe’ve traded anonymity for a \"frictionless\" onboarding process that treats your phone number as a permanent, global ID. It’s the ultimate metadata leak, and most users are too lazy to care.\n\n> \"Encryption hides the message, but the phone number reveals the target. You can’t be private if you aren't anonymous.\"\n> — Anonymous\n\n## The Onboarding Trap\n\nThe primary reason apps like Signal, Telegram, or WhatsApp demand your number is simple: growth. Using your contact list to \"find friends\" creates a viral loop that makes user acquisition free.\n\nThis \"discovery\" feature is a privacy nightmare. When you sync your contacts, you are uploading the social graph of everyone you know—including people who never consented to be on the platform—to a central server.\n\nHashing those numbers (SHA-256) is a joke. Since the search space for phone numbers is tiny (about combinations), any script-kiddie can rainbow-table the hashes back to raw numbers in minutes.\n\n## The KYC Backdoor\n\nIn most jurisdictions, a phone number is a government-issued ID. Between SIM registration laws and credit card billing, your number is hard-linked to your legal name and physical address.\n\nBy requiring a number, \"secure\" apps inherit the surveillance state’s existing database. If a state actor wants to know who @CyberGhost is, they don't need to break the encryption; they just need to subpoena the carrier for the owner of the number.\n\nIt’s an architectural choice to prioritize convenience over actual threat modeling. If you can't sign up via a random string of characters or an onion address, the app isn't built for your safety—it’s built for its own scale.\n\n## The SS7 and SIM Swap Risk\n\nRelying on a phone number means your account security is only as strong as a telco’s minimum-wage customer rep. SIM swapping is a trivial exploit that bypasses your \"secure\" encryption by hijacking the account recovery process.\n\nFurthermore, the SS7 protocol used by global roaming networks is a sieve. State actors can intercept SMS verification codes before they even reach your device, making \"secure\" account creation a theater of security.\n\n## Why it matters \u002F How to use it\n\nIf you actually need to vanish, stop using apps that require a SIM. You need systems that decouple identity from hardware.\n\n| Protocol     | ID Type             | Metadata Leak                     |\n| ------------ | ------------------- | --------------------------------- |\n| **Signal**   | Phone Number        | High (Social Graph)               |\n| **WhatsApp** | Phone Number        | Extreme (Everything but the text) |\n| **Session**  | Session ID (Pubkey) | Near Zero (Onion Routed)          |\n| **SimpleX**  | No Global ID        | Zero (Pairwise keys)              |\n\n**The Protocol Choice:**\n\n1. **SimpleX Chat:** It uses no identifiers at all. Not even a random ID. Every connection is a unique cryptographic pair.\n2. **Session:** Uses the Oxen Service Node Network to onion-route your messages. Your ID is just a public key.\n3. **Matrix (with caveats):** Can be run without a number if the homeserver allows it, but metadata remains a concern depending on the host.\n\nIdentity is the only metadata that truly matters. If you give them your number, you’ve already lost the game.\n",1783267423469]