research-article

The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number Recycling

Authors:
Allison McDonald

Computer Science & Engineering University of Michigan, United States

Computer Science & Engineering University of Michigan, United States
View Profile

,
Carlo Sugatan

School of Information University of Michigan, United States

School of Information University of Michigan, United States
View Profile

,
Tamy Guberek

School of Information University of Michigan, United States

School of Information University of Michigan, United States
View Profile

,
Florian Schaub

School of Information University of Michigan, United States

School of Information University of Michigan, United States
View Profile

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing SystemsMay 2021Article No.: 559Pages 1–14https://doi.org/10.1145/3411764.3445085

Published:07 May 2021Publication History

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

Pages 1–14

ABSTRACT

Phone numbers are intimately connected to our digital lives. People are increasingly required to disclose their phone number in digital spaces, both commercial and personal. While convenient for companies, the pervasive use of phone numbers as user identifiers also poses privacy, security, and access risks for individuals. In order to understand these risks, we present findings from a qualitative online elicitation study with 195 participants about their negative experiences with phone numbers, the consequences they faced, and how those consequences impacted their behavior. Our participants frequently reported experiencing phone number recycling, unwanted exposure, and temporary loss of access to a phone number. Resulting consequences they faced included harassment, account access problems, and privacy invasions. Based on our findings, we discuss service providers’ faulty assumptions in the use of phone numbers as user identifiers, problems arising from phone number recycling, and provide design and public policy recommendations for mitigating these issues with phone numbers.

References

The Social Security Administration. 2018. Identity Theft and Your Social Security Number. https://www.ssa.gov/pubs/EN-05-10064.pdf, accessed 2020-08-15.Google Scholar
North American Numbering Plan Administrator. 2019. April 2019 North American Numbering Plan (NANP) Exhaust Analysis. https://nationalnanpa.com/reports/April_2020_NANP_Exhaust_Analysis%20Final.pdf, accessed 2020-09-02.Google Scholar
Syed Ishtiaque Ahmed, Md. Romael Haque, Jay Chen, and Nicola Dell. 2017. Digital Privacy Challenges with Shared Mobile Phone Use in Bangladesh. Proc. ACM Hum.-Comput. Interact. 1, CSCW, Article 17 (Dec. 2017), 20 pages. https://doi.org/10.1145/3134652Google ScholarDigital Library
American Airlines. no date. BeNotified. https://www.aa.com/i18n/travel-info/travel-tools/benotified.jsp, accessed 2020-08-26.Google Scholar
Deborah Amos. 2020. Lebanon’s Government Is Accused Of Swarming WhatsApp To Catch Protesters. https://www.npr.org/2020/03/09/809684634/lebanons-government-is-accused-of-swarming-whatsapp-to-catch-protesters, accessed 2020-09-01.Google Scholar
Nathanael Andrews. 2018. ”Can I get your digits?”: Illegal Acquisition of wireless phone numbers for SIM-swap attacks and wireless provider liability. Nw. J. Tech. & Intell. Prop. 79 (2018). https://doi.org/10.13094/SMIF-2013-00004Google ScholarCross Ref
Apple. 2020. Hide My Email for Sign in with Apple. https://support.apple.com/en-us/HT210425, accessed 2020-01-08.Google Scholar
Apple. 2020. Using Dual SIM with an eSIM. https://support.apple.com/en-us/HT209044, accessed 2020-08-03.Google Scholar
J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In 2012 IEEE Symposium on Security and Privacy. IEEE, USA, 553–567.Google Scholar
Russell Brandom. 2019. The frighteningly simple technique that hijacked Jack Dorsey’s Twitter account. The Verge. https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping, accessed 2020-08-27.Google Scholar
Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (2006), 77–101. https://doi.org/10.1191/1478088706qp063oaGoogle ScholarCross Ref
Finn Brunton and Helen Nissenbaum. 2015. Obfuscation. The MIT Press, USA.Google Scholar
Pew Research Center. 2019. Mobile Fact Sheet. https://www.pewinternet.org/fact-sheet/mobile, accessed 2020-08-23.Google Scholar
Brian X. Chen. 2019. I Shared My Phone Number. I Learned I Shouldn’t Have.The New York Times. https://www.nytimes.com/2019/08/15/technology/personaltech/i-shared-my-phone-number-i-learned-i-shouldnt-have.html, accessed 2020-08-10.Google Scholar
Federal Trade Commission. no date. National Do Not Call Registry. https://www.donotcall.gov, accessed 2020-08-27.Google Scholar
Google Account Help Community. 2019. How Many Gmail accounts can a person have? - I assume they all have to be linked to one number?https://support.google.com/accounts/thread/11008132, accessed 2020-08-26.Google Scholar
Joseph Cox. 2019. I Gave a Bounty Hunter $300. Then He Located Our Phone. Vice. https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile Accessed 2020-08-10.Google Scholar
CVS. no date. Pharmacy Text Alerts. https://www.cvs.com/mobile-cvs/text, accessed 2020-08-27.Google Scholar
Periwinkle Doerfler, Kurt Thomas, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, and Damon McCoy. 2019. Evaluating Login Challenges as A Defense Against Account Takeover. In The World Wide Web Conference (San Francisco, CA, USA) (WWW ’19). Association for Computing Machinery, New York, NY, USA, 372–382. https://doi.org/10.1145/3308558.3313481Google ScholarDigital Library
James Doubek. 2016. What Happens When You Get Sir Mix-A-Lot’s Phone Number. NPR. https://www.npr.org/2016/01/16/463219936/what-happens-when-you-get-sir-mix-a-lots-phone-number, accessed 2020-08-27.Google Scholar
Nora A Draper and Joseph Turow. 2019. The corporate cultivation of digital resignation. New Media & Society 21, 8 (2019), 1824–1839. https://doi.org/10.1177/1461444819833331Google ScholarCross Ref
Facebook. no date. Custom Audiences from your Customer List. https://www.facebook.com/business/help/170456843145568?id=2469097953376494&helpref=search&sr=5&query=custom%20audience, accessed 2021-01-12.Google Scholar
Facebook. no date. Facebook Community Standards (IV)(18) Misrepresentation. https://www.facebook.com/communitystandards/misrepresentation, accessed 2020-08-27.Google Scholar
Facebook. no date. How does Facebook use my mobile phone number?https://www.facebook.com/help/251747795694485, accessed 2020-08-26.Google Scholar
Facebook. no date. I’m receiving email or text notifications about a Facebook account that doesn’t belong to me.https://www.facebook.com/help/225089214296643/?ref=u2u, accessed 2020-09-01.Google Scholar
Facebook. no date. Where do People You May Know suggestions come from?https://www.facebook.com/help/163810437015615, accessed 2020-08-10.Google Scholar
FCC. 2018. Second Report and Order. https://docs.fcc.gov/public/attachments/FCC-18-177A1.pdf, accessed 2020-08-10.Google Scholar
Dinei Florencio and Cormac Herley. 2007. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th International Conference on World Wide Web (Banff, Alberta, Canada) (WWW ’07). Association for Computing Machinery, New York, NY, USA, 657–666. https://doi.org/10.1145/1242572.1242661Google ScholarDigital Library
Adrian Harris Forman. 2012. My Phone Number’s Other Woman. The New York Times. https://www.nytimes.com/2012/10/14/opinion/sunday/my-phone-numbers-other-woman.html, accessed 2020-08-27.Google Scholar
Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur. 2018. ”What Was That Site Doing with My Facebook Password?”: Designing Password-Reuse Notifications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). Association for Computing Machinery, New York, NY, USA, 1549–1566. https://doi.org/10.1145/3243734.3243767Google ScholarDigital Library
Google. no date. How to use dual SIMs on your Google Pixel phone. https://support.google.com/pixelphone/answer/9449293, accessed 2020-08-12.Google Scholar
Google. no date. Set up a recovery phone number or email address. https://support.google.com/accounts/answer/183723, accessed 2020-08-26.Google Scholar
Google. no date. Sign in with your phone instead of a password. https://support.google.com/accounts/answer/6361026, accessed 2020-08-27.Google Scholar
Google. no date. Verify your account. https://support.google.com/accounts/answer/114129, accessed 2020-08-25.Google Scholar
Paul A. Grassi, James L. Fenton, Elaine M. Newton, Ray A. Perlner, Andrew R. Regenscheid, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen K. Greene, and Mary F. Theofanos. 2019. Digital Identity Guidelines: Authentication and Lifecycle Management. https://doi.org/10.6028/NIST.SP.800-63cNIST Special Publication 800-63B.Google ScholarCross Ref
Roger Grimes. 2019. The many ways to hack 2FA. Network Security 2019, 9 (2019), 8–13.Google ScholarCross Ref
World Bank Group. 2016. Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation. http://documents.worldbank.org/curated/en/600821469220400272/pdf/107201-WP-PUBLIC-WB-GSMA-SIADigitalIdentity-WEB.pdf, accessed 2020-08-27.Google Scholar
Kashmir Hill. 2017. How Facebook Outs Sex Workers. Gizmodo. https://gizmodo.com/how-facebook-outs-sex-workers-1818861596, accessed 2020-09-01.Google Scholar
Hiya. no date. Mr Number: Call Block & Reverse Lookup. https://hiya.com/downloads, accessed 2020-08-27.Google Scholar
Sarah E. Igo. 2018. The Known Citizen. Harvard University Press, USA.Google Scholar
Alison Grace Johansen. no date. 5 Kinds of ID Theft Using a Social Security Number. NortonLifeLock. https://www.lifelock.com/learn-identity-theft-resources-kinds-of-id-theft-using-social-security-number.html, accessed 2020-08-15.Google Scholar
jp88. 2019. Phone number limit. Google Account Help Community. https://support.google.com/accounts/thread/13443342, accessed 2020-08-23.Google Scholar
Richie Koch. 2020. The Proton guide to privacy at protests. https://protonmail.com/blog/how-to-protect-privacy-at-protests/, accessed 2020-09-11.Google Scholar
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of Passwords and People: Measuring the Effect of Password-composition Policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). ACM, New York, NY, USA, 2595–2604. https://doi.org/10.1145/1978942.1979321Google ScholarDigital Library
Pawel Laka and Wojciech Mazurczyk. 2018. User perspective and security of a new mobile authentication method. Telecommunication Systems 69, 3 (01 Nov 2018), 365–379. https://doi.org/10.1007/s11235-018-0437-1Google ScholarDigital Library
Ravie Lakshmanan. 2019. Loyalty programs cost you your personal data - are the rewards worth it?The Next Web. https://thenextweb.com/insights/2019/06/12/loyalty-programs-cost-you-your-personal-data-are-the-rewards-worth-it/, accessed 2020-09-01.Google Scholar
Selena Larson. 2020. Every single Yahoo account was hacked - 3 billion in all. https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html, accessed 2020-09-11.Google Scholar
Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An Empirical Study of Wireless Carrier Authentication for SIM Swaps. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX, USA, 61–79. https://www.usenix.org/conference/soups2020/presentation/leeGoogle Scholar
Mary Madden. 2017. PRIVACY, SECURITY, AND DIGITAL INEQUALITY. https://datasociety.net/library/privacy-security-and-digital-inequality, accessed 2020-08-01.Google Scholar
Alice E. Marwick and danah boyd. 2011. I tweet honestly, I tweet passionately: Twitter users, context collapse, and the imagined audience. New Media & Society 13, 1 (2011), 114–133. https://doi.org/10.1177/1461444810365313Google ScholarCross Ref
Mary L. McHugh. 2012. Interrater reliability: The kappa statistic. Biochemia Medica 22(2012), 276–282. https://doi.org/10.11613/bm.2012.031Google ScholarCross Ref
William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and Security of Text Passwords on Mobile Devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI ’16). ACM, New York, NY, USA, 527–539. https://doi.org/10.1145/2858036.2858384Google ScholarDigital Library
Blase Ur Miranda Wei, Maximilian Golla. 2018. The Password Doesn’t Fall Far:How Service Influences Password Choice. Proceedings of the Who Are You?! Adventures in Authentication 2018 Workshop (WAY) 4th WAY(2018).Google Scholar
Ariana Mirian, Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker, and Kurt Thomas. 2019. Hack for Hire: Exploring the Emerging Market for Account Hijacking. In The World Wide Web Conference (San Francisco, CA, USA) (WWW ’19). Association for Computing Machinery, New York, NY, USA, 1279–1289. https://doi.org/10.1145/3308558.3313489Google ScholarDigital Library
Lily Hay Newman. 2018. Phone Numbers Were Never Meant as ID. Now We’re All At Risk. Wired. https://www.wired.com/story/phone-numbers-indentification-authentication, accessed 2020-08-26.Google Scholar
Casey Newton. 2014. Inside Twitter’s ambitious plan to kill the password. The Verge. https://www.theverge.com/2014/10/22/7034113/inside-twitters-ambitious-plan-to-kill-the-password-on-mobile-devices, accessed 2020-08-27.Google Scholar
Nathaniel Popper. 2017. Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency. The New York Times. https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html, accessed 2020-08-26.Google Scholar
Henry F. Pringle and Katherine Pringle. 1954. Sixty Million Headaches Every Year. The Saturday Evening Post. http://www.saturdayeveningpost.com/wp-content/uploads/satevepost/sixty_million_headaches.pdf, accessed 2020-08-15.Google Scholar
Cooper Quintin. 2018. Our Cellphones Aren’t Safe. The New York Times. https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html, accessed 2020-08-16.Google Scholar
Emilee Rader and Anjali Munasinghe. 2019. ”Wait, Do I Know This Person?”: Understanding Misdirected Email. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (Glasgow, Scotland UK) (CHI ’19). Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3290605.3300520Google ScholarDigital Library
Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. 2020. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, USA, 89–108. https://www.usenix.org/conference/usenixsecurity20/presentation/redmilesGoogle Scholar
Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/soups2019/presentation/reeseGoogle Scholar
J. H. Saltzer and M. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63(1975), 1278–1308.Google ScholarCross Ref
Richard Shay, Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2014. ”My Religious Aunt Asked Why I Was Trying to Sell Her Viagra”: Experiences with Account Hijacking. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (Toronto, Ontario, Canada) (CHI ’14). ACM, New York, NY, USA, 2657–2666. https://doi.org/10.1145/2556288.2557330Google ScholarDigital Library
Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, and Nasir Memon. 2017. Mind your SMSes: Mitigating social engineering in second factor authentication. Computers and Security 65 (2017), 14–28.Google ScholarDigital Library
Signal. no date. Register a phone number. https://support.signal.org/hc/en-us/articles/360007318691-Register-a-phone-number, accessed 2020-09-01.Google Scholar
Robert Snell. 2017. Feds use anti-terror tool to hunt the undocumented. The Detroit News. https://www.detroitnews.com/story/news/local/detroit-city/2017/05/18/cell-snooping-fbi-immigrant/101859616/, accessed 2021-01-10.Google Scholar
Telegram. no date. Telegram FAQ - Phone Number. https://telegram.org/faq#q-i-have-a-new-phone-number-what-do-i-do, accessed 2020-09-01.Google Scholar
Twitter. no date. About your email and phone number discoverability privacy settings. https://help.twitter.com/en/safety-and-security/email-and-phone-discoverability-settings, accessed 2020-09-01.Google Scholar
Twitter. no date. Personal information and ads on Twitter. https://help.twitter.com/en/information-and-ads, accessed 2020-08-22.Google Scholar
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Conference on Security Symposium (Bellevue, WA) (Security’12). USENIX Association, Berkeley, CA, USA, 5–5. http://dl.acm.org.proxy.lib.umich.edu/citation.cfm?id=2362793.2362798Google ScholarDigital Library
G. Venkatadri, A. Andreou, Y. Liu, A. Mislove, K. P. Gummadi, P. Loiseau, and O. Goga. 2018. Privacy Risks with Facebook’s PII-Based Targeting: Auditing a Data Broker’s Advertising Interface. In 2018 IEEE Symposium on Security and Privacy (SP). IEE, USA, 89–107. https://doi.org/10.1109/SP.2018.00014Google ScholarCross Ref
WhatsApp. no date. How to verify your number. https://faq.whatsapp.com/iphone/verification/how-to-verify-your-number, accessed 2020-09-01.Google Scholar
Yan Zhao, Shiming Li, and Liehui Jiang. 2018. Secure and Efficient User Authentication Scheme Based on Password and Smart Card for Multiserver Environment. Security and Communication Networks 2018 (05 2018), 1–13. https://doi.org/10.1155/2018/9178941Google ScholarCross Ref
Yixin Zou, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. 2018. ”I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association, Baltimore, MD, 197–216. https://www.usenix.org/conference/soups2018/presentation/zouGoogle Scholar

Index Terms

The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number Recycling
1. Human-centered computing
2. Social and professional topics

Index terms have been assigned to the content through auto-classification.

Recommendations

Mobile phone-to-phone personal context sharing
ISCIT'09: Proceedings of the 9th international conference on Communications and information technologies

Sharing personal context information using mobile phone is receiving considerable attentions in ubiquitous computing applications. The most common architecture for sharing personal context information via mobile phone uses centralized server. Such ...
Read More
Assessing mobile phone communication utility preferences in a social support network

While it is generally accepted that the mobile cell phone has become ubiquitous within society for communicating, the actual use of the utilities on a phone have not been reported. Understanding how communication patterns are changing in society as a ...
Read More
Electronic retention: what does your mobile phone reveal about you?

The global information rich society is increasingly dependent on mobile phone technology for daily activities. A substantial secondary market in mobile phones has developed as a result of a relatively short life-cycle and recent regulatory measures on ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems
May 2021
10862 pages
ISBN:9781450380966
DOI:10.1145/3411764
General Chairs:
Yoshifumi Kitamura
Tohoku University, Japan
,
Aaron Quigley
University of New South Wales, Australia
,
Program Chairs:
Katherine Isbister
University of California Santa Cruz, USA
,
Takeo Igarashi
The University of Tokyo, Japan
,
Publications Chairs:
Pernille Bjørn
University of Copenhagen, Denmark
,
Steven Drucker
Microsoft Research, USA
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 May 2021
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Privacy
phone number recycling.
phone numbers
security
user identification
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate6,199of26,314submissions,24%
Upcoming Conference
CHI '24

Sponsor:

sigchi

CHI Conference on Human Factors in Computing Systems

May 11 - 16, 2024

Honolulu , HI , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 6
  Total Citations
  View Citations
- 391
  Total Downloads
- Downloads (Last 12 months)82
- Downloads (Last 6 weeks)14
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number Recycling

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Mobile phone-to-phone personal context sharing

Assessing mobile phone communication utility preferences in a social support network

Electronic retention: what does your mobile phone reveal about you?