ABSTRACT
Phone numbers are intimately connected to our digital lives. People are increasingly required to disclose their phone number in digital spaces, both commercial and personal. While convenient for companies, the pervasive use of phone numbers as user identifiers also poses privacy, security, and access risks for individuals. In order to understand these risks, we present findings from a qualitative online elicitation study with 195 participants about their negative experiences with phone numbers, the consequences they faced, and how those consequences impacted their behavior. Our participants frequently reported experiencing phone number recycling, unwanted exposure, and temporary loss of access to a phone number. Resulting consequences they faced included harassment, account access problems, and privacy invasions. Based on our findings, we discuss service providers’ faulty assumptions in the use of phone numbers as user identifiers, problems arising from phone number recycling, and provide design and public policy recommendations for mitigating these issues with phone numbers.
- The Social Security Administration. 2018. Identity Theft and Your Social Security Number. https://www.ssa.gov/pubs/EN-05-10064.pdf, accessed 2020-08-15.Google Scholar
- North American Numbering Plan Administrator. 2019. April 2019 North American Numbering Plan (NANP) Exhaust Analysis. https://nationalnanpa.com/reports/April_2020_NANP_Exhaust_Analysis%20Final.pdf, accessed 2020-09-02.Google Scholar
- Syed Ishtiaque Ahmed, Md. Romael Haque, Jay Chen, and Nicola Dell. 2017. Digital Privacy Challenges with Shared Mobile Phone Use in Bangladesh. Proc. ACM Hum.-Comput. Interact. 1, CSCW, Article 17 (Dec. 2017), 20 pages. https://doi.org/10.1145/3134652Google ScholarDigital Library
- American Airlines. no date. BeNotified. https://www.aa.com/i18n/travel-info/travel-tools/benotified.jsp, accessed 2020-08-26.Google Scholar
- Deborah Amos. 2020. Lebanon’s Government Is Accused Of Swarming WhatsApp To Catch Protesters. https://www.npr.org/2020/03/09/809684634/lebanons-government-is-accused-of-swarming-whatsapp-to-catch-protesters, accessed 2020-09-01.Google Scholar
- Nathanael Andrews. 2018. ”Can I get your digits?”: Illegal Acquisition of wireless phone numbers for SIM-swap attacks and wireless provider liability. Nw. J. Tech. & Intell. Prop. 79 (2018). https://doi.org/10.13094/SMIF-2013-00004Google ScholarCross Ref
- Apple. 2020. Hide My Email for Sign in with Apple. https://support.apple.com/en-us/HT210425, accessed 2020-01-08.Google Scholar
- Apple. 2020. Using Dual SIM with an eSIM. https://support.apple.com/en-us/HT209044, accessed 2020-08-03.Google Scholar
- J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In 2012 IEEE Symposium on Security and Privacy. IEEE, USA, 553–567.Google Scholar
- Russell Brandom. 2019. The frighteningly simple technique that hijacked Jack Dorsey’s Twitter account. The Verge. https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping, accessed 2020-08-27.Google Scholar
- Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (2006), 77–101. https://doi.org/10.1191/1478088706qp063oaGoogle ScholarCross Ref
- Finn Brunton and Helen Nissenbaum. 2015. Obfuscation. The MIT Press, USA.Google Scholar
- Pew Research Center. 2019. Mobile Fact Sheet. https://www.pewinternet.org/fact-sheet/mobile, accessed 2020-08-23.Google Scholar
- Brian X. Chen. 2019. I Shared My Phone Number. I Learned I Shouldn’t Have.The New York Times. https://www.nytimes.com/2019/08/15/technology/personaltech/i-shared-my-phone-number-i-learned-i-shouldnt-have.html, accessed 2020-08-10.Google Scholar
- Federal Trade Commission. no date. National Do Not Call Registry. https://www.donotcall.gov, accessed 2020-08-27.Google Scholar
- Google Account Help Community. 2019. How Many Gmail accounts can a person have? - I assume they all have to be linked to one number?https://support.google.com/accounts/thread/11008132, accessed 2020-08-26.Google Scholar
- Joseph Cox. 2019. I Gave a Bounty Hunter $300. Then He Located Our Phone. Vice. https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile Accessed 2020-08-10.Google Scholar
- CVS. no date. Pharmacy Text Alerts. https://www.cvs.com/mobile-cvs/text, accessed 2020-08-27.Google Scholar
- Periwinkle Doerfler, Kurt Thomas, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, and Damon McCoy. 2019. Evaluating Login Challenges as A Defense Against Account Takeover. In The World Wide Web Conference (San Francisco, CA, USA) (WWW ’19). Association for Computing Machinery, New York, NY, USA, 372–382. https://doi.org/10.1145/3308558.3313481Google ScholarDigital Library
- James Doubek. 2016. What Happens When You Get Sir Mix-A-Lot’s Phone Number. NPR. https://www.npr.org/2016/01/16/463219936/what-happens-when-you-get-sir-mix-a-lots-phone-number, accessed 2020-08-27.Google Scholar
- Nora A Draper and Joseph Turow. 2019. The corporate cultivation of digital resignation. New Media & Society 21, 8 (2019), 1824–1839. https://doi.org/10.1177/1461444819833331Google ScholarCross Ref
- Facebook. no date. Custom Audiences from your Customer List. https://www.facebook.com/business/help/170456843145568?id=2469097953376494&helpref=search&sr=5&query=custom%20audience, accessed 2021-01-12.Google Scholar
- Facebook. no date. Facebook Community Standards (IV)(18) Misrepresentation. https://www.facebook.com/communitystandards/misrepresentation, accessed 2020-08-27.Google Scholar
- Facebook. no date. How does Facebook use my mobile phone number?https://www.facebook.com/help/251747795694485, accessed 2020-08-26.Google Scholar
- Facebook. no date. I’m receiving email or text notifications about a Facebook account that doesn’t belong to me.https://www.facebook.com/help/225089214296643/?ref=u2u, accessed 2020-09-01.Google Scholar
- Facebook. no date. Where do People You May Know suggestions come from?https://www.facebook.com/help/163810437015615, accessed 2020-08-10.Google Scholar
- FCC. 2018. Second Report and Order. https://docs.fcc.gov/public/attachments/FCC-18-177A1.pdf, accessed 2020-08-10.Google Scholar
- Dinei Florencio and Cormac Herley. 2007. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th International Conference on World Wide Web (Banff, Alberta, Canada) (WWW ’07). Association for Computing Machinery, New York, NY, USA, 657–666. https://doi.org/10.1145/1242572.1242661Google ScholarDigital Library
- Adrian Harris Forman. 2012. My Phone Number’s Other Woman. The New York Times. https://www.nytimes.com/2012/10/14/opinion/sunday/my-phone-numbers-other-woman.html, accessed 2020-08-27.Google Scholar
- Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur. 2018. ”What Was That Site Doing with My Facebook Password?”: Designing Password-Reuse Notifications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). Association for Computing Machinery, New York, NY, USA, 1549–1566. https://doi.org/10.1145/3243734.3243767Google ScholarDigital Library
- Google. no date. How to use dual SIMs on your Google Pixel phone. https://support.google.com/pixelphone/answer/9449293, accessed 2020-08-12.Google Scholar
- Google. no date. Set up a recovery phone number or email address. https://support.google.com/accounts/answer/183723, accessed 2020-08-26.Google Scholar
- Google. no date. Sign in with your phone instead of a password. https://support.google.com/accounts/answer/6361026, accessed 2020-08-27.Google Scholar
- Google. no date. Verify your account. https://support.google.com/accounts/answer/114129, accessed 2020-08-25.Google Scholar
- Paul A. Grassi, James L. Fenton, Elaine M. Newton, Ray A. Perlner, Andrew R. Regenscheid, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen K. Greene, and Mary F. Theofanos. 2019. Digital Identity Guidelines: Authentication and Lifecycle Management. https://doi.org/10.6028/NIST.SP.800-63cNIST Special Publication 800-63B.Google ScholarCross Ref
- Roger Grimes. 2019. The many ways to hack 2FA. Network Security 2019, 9 (2019), 8–13.Google ScholarCross Ref
- World Bank Group. 2016. Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation. http://documents.worldbank.org/curated/en/600821469220400272/pdf/107201-WP-PUBLIC-WB-GSMA-SIADigitalIdentity-WEB.pdf, accessed 2020-08-27.Google Scholar
- Kashmir Hill. 2017. How Facebook Outs Sex Workers. Gizmodo. https://gizmodo.com/how-facebook-outs-sex-workers-1818861596, accessed 2020-09-01.Google Scholar
- Hiya. no date. Mr Number: Call Block & Reverse Lookup. https://hiya.com/downloads, accessed 2020-08-27.Google Scholar
- Sarah E. Igo. 2018. The Known Citizen. Harvard University Press, USA.Google Scholar
- Alison Grace Johansen. no date. 5 Kinds of ID Theft Using a Social Security Number. NortonLifeLock. https://www.lifelock.com/learn-identity-theft-resources-kinds-of-id-theft-using-social-security-number.html, accessed 2020-08-15.Google Scholar
- jp88. 2019. Phone number limit. Google Account Help Community. https://support.google.com/accounts/thread/13443342, accessed 2020-08-23.Google Scholar
- Richie Koch. 2020. The Proton guide to privacy at protests. https://protonmail.com/blog/how-to-protect-privacy-at-protests/, accessed 2020-09-11.Google Scholar
- Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of Passwords and People: Measuring the Effect of Password-composition Policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). ACM, New York, NY, USA, 2595–2604. https://doi.org/10.1145/1978942.1979321Google ScholarDigital Library
- Pawel Laka and Wojciech Mazurczyk. 2018. User perspective and security of a new mobile authentication method. Telecommunication Systems 69, 3 (01 Nov 2018), 365–379. https://doi.org/10.1007/s11235-018-0437-1Google ScholarDigital Library
- Ravie Lakshmanan. 2019. Loyalty programs cost you your personal data - are the rewards worth it?The Next Web. https://thenextweb.com/insights/2019/06/12/loyalty-programs-cost-you-your-personal-data-are-the-rewards-worth-it/, accessed 2020-09-01.Google Scholar
- Selena Larson. 2020. Every single Yahoo account was hacked - 3 billion in all. https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html, accessed 2020-09-11.Google Scholar
- Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An Empirical Study of Wireless Carrier Authentication for SIM Swaps. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX, USA, 61–79. https://www.usenix.org/conference/soups2020/presentation/leeGoogle Scholar
- Mary Madden. 2017. PRIVACY, SECURITY, AND DIGITAL INEQUALITY. https://datasociety.net/library/privacy-security-and-digital-inequality, accessed 2020-08-01.Google Scholar
- Alice E. Marwick and danah boyd. 2011. I tweet honestly, I tweet passionately: Twitter users, context collapse, and the imagined audience. New Media & Society 13, 1 (2011), 114–133. https://doi.org/10.1177/1461444810365313Google ScholarCross Ref
- Mary L. McHugh. 2012. Interrater reliability: The kappa statistic. Biochemia Medica 22(2012), 276–282. https://doi.org/10.11613/bm.2012.031Google ScholarCross Ref
- William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and Security of Text Passwords on Mobile Devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI ’16). ACM, New York, NY, USA, 527–539. https://doi.org/10.1145/2858036.2858384Google ScholarDigital Library
- Blase Ur Miranda Wei, Maximilian Golla. 2018. The Password Doesn’t Fall Far:How Service Influences Password Choice. Proceedings of the Who Are You?! Adventures in Authentication 2018 Workshop (WAY) 4th WAY(2018).Google Scholar
- Ariana Mirian, Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker, and Kurt Thomas. 2019. Hack for Hire: Exploring the Emerging Market for Account Hijacking. In The World Wide Web Conference (San Francisco, CA, USA) (WWW ’19). Association for Computing Machinery, New York, NY, USA, 1279–1289. https://doi.org/10.1145/3308558.3313489Google ScholarDigital Library
- Lily Hay Newman. 2018. Phone Numbers Were Never Meant as ID. Now We’re All At Risk. Wired. https://www.wired.com/story/phone-numbers-indentification-authentication, accessed 2020-08-26.Google Scholar
- Casey Newton. 2014. Inside Twitter’s ambitious plan to kill the password. The Verge. https://www.theverge.com/2014/10/22/7034113/inside-twitters-ambitious-plan-to-kill-the-password-on-mobile-devices, accessed 2020-08-27.Google Scholar
- Nathaniel Popper. 2017. Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency. The New York Times. https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html, accessed 2020-08-26.Google Scholar
- Henry F. Pringle and Katherine Pringle. 1954. Sixty Million Headaches Every Year. The Saturday Evening Post. http://www.saturdayeveningpost.com/wp-content/uploads/satevepost/sixty_million_headaches.pdf, accessed 2020-08-15.Google Scholar
- Cooper Quintin. 2018. Our Cellphones Aren’t Safe. The New York Times. https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html, accessed 2020-08-16.Google Scholar
- Emilee Rader and Anjali Munasinghe. 2019. ”Wait, Do I Know This Person?”: Understanding Misdirected Email. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (Glasgow, Scotland UK) (CHI ’19). Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3290605.3300520Google ScholarDigital Library
- Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. 2020. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, USA, 89–108. https://www.usenix.org/conference/usenixsecurity20/presentation/redmilesGoogle Scholar
- Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/soups2019/presentation/reeseGoogle Scholar
- J. H. Saltzer and M. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63(1975), 1278–1308.Google ScholarCross Ref
- Richard Shay, Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2014. ”My Religious Aunt Asked Why I Was Trying to Sell Her Viagra”: Experiences with Account Hijacking. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (Toronto, Ontario, Canada) (CHI ’14). ACM, New York, NY, USA, 2657–2666. https://doi.org/10.1145/2556288.2557330Google ScholarDigital Library
- Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, and Nasir Memon. 2017. Mind your SMSes: Mitigating social engineering in second factor authentication. Computers and Security 65 (2017), 14–28.Google ScholarDigital Library
- Signal. no date. Register a phone number. https://support.signal.org/hc/en-us/articles/360007318691-Register-a-phone-number, accessed 2020-09-01.Google Scholar
- Robert Snell. 2017. Feds use anti-terror tool to hunt the undocumented. The Detroit News. https://www.detroitnews.com/story/news/local/detroit-city/2017/05/18/cell-snooping-fbi-immigrant/101859616/, accessed 2021-01-10.Google Scholar
- Telegram. no date. Telegram FAQ - Phone Number. https://telegram.org/faq#q-i-have-a-new-phone-number-what-do-i-do, accessed 2020-09-01.Google Scholar
- Twitter. no date. About your email and phone number discoverability privacy settings. https://help.twitter.com/en/safety-and-security/email-and-phone-discoverability-settings, accessed 2020-09-01.Google Scholar
- Twitter. no date. Personal information and ads on Twitter. https://help.twitter.com/en/information-and-ads, accessed 2020-08-22.Google Scholar
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Conference on Security Symposium (Bellevue, WA) (Security’12). USENIX Association, Berkeley, CA, USA, 5–5. http://dl.acm.org.proxy.lib.umich.edu/citation.cfm?id=2362793.2362798Google ScholarDigital Library
- G. Venkatadri, A. Andreou, Y. Liu, A. Mislove, K. P. Gummadi, P. Loiseau, and O. Goga. 2018. Privacy Risks with Facebook’s PII-Based Targeting: Auditing a Data Broker’s Advertising Interface. In 2018 IEEE Symposium on Security and Privacy (SP). IEE, USA, 89–107. https://doi.org/10.1109/SP.2018.00014Google ScholarCross Ref
- WhatsApp. no date. How to verify your number. https://faq.whatsapp.com/iphone/verification/how-to-verify-your-number, accessed 2020-09-01.Google Scholar
- Yan Zhao, Shiming Li, and Liehui Jiang. 2018. Secure and Efficient User Authentication Scheme Based on Password and Smart Card for Multiserver Environment. Security and Communication Networks 2018 (05 2018), 1–13. https://doi.org/10.1155/2018/9178941Google ScholarCross Ref
- Yixin Zou, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. 2018. ”I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association, Baltimore, MD, 197–216. https://www.usenix.org/conference/soups2018/presentation/zouGoogle Scholar
Index Terms
- The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number Recycling
Recommendations
Mobile phone-to-phone personal context sharing
ISCIT'09: Proceedings of the 9th international conference on Communications and information technologiesSharing personal context information using mobile phone is receiving considerable attentions in ubiquitous computing applications. The most common architecture for sharing personal context information via mobile phone uses centralized server. Such ...
Assessing mobile phone communication utility preferences in a social support network
While it is generally accepted that the mobile cell phone has become ubiquitous within society for communicating, the actual use of the utilities on a phone have not been reported. Understanding how communication patterns are changing in society as a ...
Electronic retention: what does your mobile phone reveal about you?
The global information rich society is increasingly dependent on mobile phone technology for daily activities. A substantial secondary market in mobile phones has developed as a result of a relatively short life-cycle and recent regulatory measures on ...
Comments