Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://tweesecake.social/@adisonverlice" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>adisonverlice</span></a></span> even <em>if</em> an <a href="https://infosec.space/tags/MVNO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MVNO</span></a> isn't demanding any <a href="https://infosec.space/tags/KYC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KYC</span></a> whatsoever (i.e. <a href="https://infosec.space/tags/prepaid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>prepaid</span></a> are offered OTC in most juristictions) it's <em>NOT</em> "<a href="https://infosec.space/tags/Anonymous" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Anonymous</span></a>" but merely <em><a href="https://infosec.space/tags/pseudonymous" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pseudonymous</span></a></em> as it's trivial for governments to utilize existing <em>and mandtory "<a href="https://infosec.space/tags/LawfulInterception" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LawfulInterception</span></a>" appliances</em> to create that <a href="https://infosec.space/tags/PII" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PII</span></a> chain.</p><p><a href="https://infosec.space/tags/PhoneNumber" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhoneNumber</span></a> <=> <a href="https://infosec.space/tags/ICCID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICCID</span></a> (<a href="https://infosec.space/tags/SIMcard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SIMcard</span></a>) <=> <a href="https://infosec.space/tags/IMSI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IMSI</span></a> (SIM profile) <=> <a href="https://infosec.space/tags/IMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IMEI</span></a> (Phone/...).</p><p>So if <a href="https://infosec.space/tags/Anonymity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Anonymity</span></a> is important, <em>NONE</em> of these details have to be linked somehow even circumstantial.</p><ul><li><p>Bought/paid for the phone/SIM/ a single top-up with ec/CC/PayPal/SEPA/… = busted due to circumstantial connection.</p></li><li><p>Use the SIM in any device? Consider them <em>circumstantially connected</em> forever: <a href="https://infosec.space/tags/ICCID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICCID</span></a> <=> <a href="https://infosec.space/tags/IMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IMEI</span></a>.</p></li><li><p>Same applies to <a href="https://infosec.space/tags/eSIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eSIM</span></a>|s: <a href="https://infosec.space/tags/EID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EID</span></a> <=> <a href="https://infosec.space/tags/ICCID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICCID</span></a> <=> <a href="https://infosec.space/tags/IMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IMEI</span></a>.</p></li></ul><p>Add to the fact that most places have <a href="https://infosec.space/tags/CCTV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CCTV</span></a>, and assume that they'll keep recordings for the <em>maximum permissible duration</em> if not longer and oftentimes even use questionable cloud services and you get the picture.</p><ul><li>I.e. in Germany the maximum permissible storage duration is 72 hours (<em>if nothing hapoens that warrants a longer storage i.e. burglary/theft/robbery/arson/...</em>) so anonymous top-ups would necessitate paying cash at a place one's not been known at (i.e. some kiosk) and waiting at least >72 hours (and checking on the purchase location) before redeeming the top-up code (i.e. dialing <code>*104*1234567890123456#</code> )...</li></ul><p>So any <a href="https://infosec.space/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a>-based service should <em>never ever & under no circumstances</em> demand a Phone Number!</p><ul><li><p>Instead any privacy-focussed service should use <a href="https://infosec.space/tags/OnionServices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnionServices</span></a>, host their own <a href="https://infosec.space/tags/OnionService" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnionService</span></a> or at least <a href="https://infosec.space/tags/DontBlockTor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DontBlockTor</span></a> and allow users to use it via <span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>torproject</span></a></span> / <a href="https://infosec.space/tags/Tor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tor</span></a> to use and signup. (But don't forget circumstantial connections there either!)</p></li><li><p>Also the less details they want or store and the least traffic they generate the harder it is to correlate traffic & users.</p></li></ul>