Phone Number Isolation for Privacy - Thoughts and Questions

Good day,

I’m new to this forum, very interesting topics and discussions.

I became aware of the many ways our privacy is violated (after the local school system installed spyware on my personal laptop. Used my personal machine because they didn’t have enough devices and my kids needed to be kept up to speed)

Privacy violations include online, by apps, iPhones, Google Phones (GApps) or a computer OS (windows to me is a “boot sector virus”).

Landed on Linux, which can be somewhat straightforward, with VPN’s, browser isolation, etc.

And use a degoogled phone for personal purposes, my employer provides iPhones for business purposes.

Followed a number of privacy advocates online, but mostly Rob Braxman Tech (Rob Braxman Tech) a lot of his advice makes sense.

I’m trying to improve my knowledge of phone number isolation, Phone Number Tracking…

This is somewhat detailed, kindly read everything and then share any thoughtful comments, these are most welcome.

A few questions occur to me after watching one of Rob’ Braxman’s video a number of times.

He does cover the phone topic in many of his videos, this is one of the more recent ones.

“We are Being Tracked on the Internet Via Our Phone Number! Zero Anonymity 8-14-2024”

(We are Being Tracked on the Internet Via Our Phone Number! Zero Anonymity)

Generally, he has the idea to isolate phone numbers so that your “main” number does not have an online presence and you use a 2nd phone number for 2FA (2 Factor Authentication) purposes.

Background:

this paragraph is to outline some of my concerns, the actual questions are in the USE CASES below

If you have a number for 2FA purposes (accounts where you have an internet presence)

and the business enforces KYC (Know Your Customer), or you have to use a credit card (then your identity is known)

for example, banks, credit cards, hotels, online shopping etc.

What about other online sites that you do not have to use a credit card but requires a phone number?

For example telegram, signal, various online forums

Should that be the same 2FA number?

What is the risk in doing so?

Does telegram, signal, etc. accept Virtual Phone Numbers?

(I’ve heard a number of accounts only accept an actual Mobile (PTSN) phone number.

If I give my main telephone number to friends, family, and others with routine relationships, I can’t control what they might do with this number on their side.

Almost seems to me like I need a number for “trusted” relationships.

• • *Have a look at my Use Cases and share comments.

I SEE AT LEAST FOUR USE CASES:

Phone setup:

degoogled phone (Pixel w Graphene OS)

1 Mobile number (PSTN: Public Switched Telephone Network) on SIM card

1 Mobile number on eSIM card

1 JMP (XMPP) phone number (https://jmp.chat/) - works with wifi, reverse tether to ethernet or data only SIM

2 profiles on the phone:

Owner – privacy focused apps

Alternate – sandboxed GApps (Google Apps) , Google Play Store, for apps that need this to run

USE CASE ONE:

Phone No. 01 - Not used for 2FA

Main Cell Phone No. (PSTN):

Phone approach for this number - use on the degoogled phone (Pixel w Graphene OS), main profile, no GApps (Google Apps) installed in this profile.

People I know or other routine relationships

For example: Friends, Family, businesses and organizations that I have a routine relationships

this includes doctors, dentists, car repairs, library, kids schools and other groups (soccer, music, swimming, baseball, dance, etc.)

There is a difficulty with this approach…

The intention is not to use this on the internet, but there are organizations that use your phone number for notifications, and often use that in an app. My kids are in several different activity groups, each use BAND.US, which uses one of my e-mails and phone numbers. The org can send mass text messages about schedule changes, etc. It does not seem practical to segregate contacts within this group, based on the risk of the number being “used” online.

QUESTION(S): What risks are there in this “pool” of contacts? Maybe is would be better to peel off the orgs that use Apps (like Band US) and put them on my 2FA number, and use them on the GApps profile, thoughts?

USE CASE TWO:

Phone No. 02 - Used for 2FA

2FA Cell Phone No. (PSTN) for businesses requiring KYC

Phone approach for this number - use on the degoogled phone, separate profile, has GApps (Google Apps) installed in this profile, Banks, Airlines, etc. So, this proifie is isolated from my main (owner) profile.

This is for businesses where your identity is fully known and you interact with these businesses regularly, Banks, Credit Cards, Rental Cars, Hotels, Airlines, etc.

QUESTION(S): Is this same number that I should use when communicating by phone with the Bank, Airline, etc.?

USE CASE TWO (ALTERNATE):

2FA Application (e.g. Ubikey) for business requiring KYC (and accept this approach)

Same as the above list

USE CASE THREE:

Other online forums, subscriptions, etc. typically require an e-mail address, and perhaps a phone number. Sites like Signal and Telegram require a phone number.

Often, the forum, merchant, etc. “sells” your info, resulting in unwanted spam. For me, this is gotten much worse over the years, lately I’m deleting many dozens of text messages daily. That number has got to go, but I’d like to have a solid approach before making changes.

*QUESTION(S): What’s the best practice, use the 2FA number? Or put them on another anonymous number? I may not want a direct connection between my 2FA number (where my identity is well known) and another forum like Telegram for example, to maintain some level of anonymity.

Rather than paying for a 3rd phone line, maybe use an additional JMP (XMPP) phone number (https://jmp.chat/) number, these a pretty cheap.*

USE CASE FOUR:

“Trusted” relationships.

Perhaps some family, friends, other contacts, who may get a “private” number that is NOT used for other routine relationships.

This could be a virtual phone or some other JMP (XMPP) phone number (https://jmp.chat/)

I believe if both parties are on XMPP, then their communications (calls, text) is E2EE (End to End Encrypted), also enables video calls.

These “trusted” relationships could be a subset of the contact names in the main phone number, mentioned above. I suppose they could get both numbers, or just get the “private” number.

comment:
there’s also online forums / chat room which don’t require an identity and could be used for more secure communications as needed

In Closing:
This is a bit wordy, but I think it reflects some common use cases when you have the intention to maintain some level for privacy online.

(unless you want to stay or revert to “normie” status where you use the same number for everything)

Thoughts?

You’re on the right track.

Some points here to add to this - note my threat model might be more strict.

• Its good to not give out any base number that is linked to a physical sim card. Physical sim cards can be used to track you with cell site locations, and are vulnerable to sim swap attacks.
• Lets start with a base phone. This phone is a prepaid sim card, bought cash, registered under an alias. Don’t give this number out to anyone, nor use it anywhere. Only you know this number. This will prevent anyone from being able to find your location using the phone, or attack this number with sim swap attacks. Some people go further, and avoid grid referencing this phone by only using it at locations away from their home.
• On an app like jmp chat or mysudo you can have many different numbers. You can use a separate number for communications apps, calling friends or family, and 2FA codes.
• If some sites don’t allow VOIP, then I would purchase separate sim cards cash, burner phones, use these phones to register accounts on the main phone. These phones would typically be stored in a Faraday bag when not in use, and only used outside of my home for the purpose of registering an account with the burner number.
• To avoid the base phone from being grid referenced to your location, I use a seperate device without cellular service (ie laptop with signal, or ipad with no sim card) whenever I am at my home. This is so there are 0 cell phone signals associated with my address, nor are there any phone numbers actually registered to my name.
• If I want a burner phone or other line for a specific narrow purpose (lets say going on a trip), I can buy a new temp device cash, use it for this purpose, then dispose of it.
• I never use multiple cellphones at the same time, the other ones are always stored in faraday bags to prevent correlation between cellphones. Lets say everyday on your drive to work, there are two cell phones in your vehicle, these cell phones will be easily linked with you since they typically travel together - same reason I don’t use them at my house.
• For stores rewards programs or whatever, these people don’t even need a real number. I literally just open a site like https://smstome.com/ on my phone, find a random number and use that. Or I give them their own store’s phone number, they never verify anything.

Be aware that Rob Braxman often spreads misinformation, trying to sell his own products.

Yea. The problem with Braxman is he mixes in a lot of bullshit with true stuff. It then becomes a chore to disentangle all of it.