It would be good if phone companies weren't quite so complicit in hiding companies behind anonymous phone numbers, and relaying numbers for which they don't have verified origin info.
Supposedly today is the day that even the small carriers that were previously exempt from not having to comply with STIR/SHAKEN will now have to.
But its meaninglessness is demonstrated by the fact that I have received two spam calls (complete with "accurate" caller ID) since starting to read these comments.
I don't want one company to be the arbiter of all communications everywhere. Phone numbers work fine.
For me too and if there is an application that allows to block numbers, spam is not a problem.
Now I use the Google builtin caller app antispam function. Most of the spam numbers have already been marked as such by somebody else. Even if that didn't exist I could just block the number after the fact and no more calls or SMSs.
I'd rather program that myself than relying the functionality to Google, I hope Pine or some other programmable phone gets to a usable state some day. But as of now, it's good enough.
Edit: I'm in Spain, not sure if that works the same in the USA.
Phone numbers have the same problem as email, though: because "everyone" is responsible, no one is responsible. The deluge of spam texts and calls to my public phone number is genuinely unpleasant and frustrating to deal with as, like, a person living in the world.
I practically don't use email anymore for those reasons, and a phone number hangs around only because right now I can't not have one for legal-type reasons.
email, at least, you can fully implement your own antispam solution in whatever way you want
at one extreme, you can just point the mx records for your domain at office365 or gsuite or similar and let them handle it
at the other extreme, you can point the mx records at your own mailserver you admin yourself and do absolutely anything you want with the incoming smtp mail flow for antispam measures, sorting, filtering, categorization, risk analysis.
the ordinary person even if they work for a telecom cannot implement their own phone number at one of the most fundamental levels of the pstn, because they don't run their own ss7 switch.
if you control your own DID and interface with it from a sip trunk to a trusted provider, running your own voip system, you can do a lot with custom routing/antispam measures on incoming call flow, but nowhere near to the extent that you can with email.
There's still a little bit of control near the client end with things like call screening and phone apps that checks numbers against a database. You can't reject the initial connection (like DNS blocklists) but it's still something
The way to solve this is by educating the people in your network about better security practices, not by giving away control over your communications just because of "convenience".
"Just get everyone to be perfect, including random companies who require a phone number for validation, and if a single failure ever happens you're going to be spammed forever in a way that is directly interruptive and intrusive instead of one in a list of messages in a queue."
I don't know how to say this any more nicely than this: this is a permanently losing solution with no redeeming qualities to such a degree that it makes me wonder at how in-good-faith the suggestion actually is with regards to solving the stated problem.
The point is not to "be perfect", the point is to raise the standard of acceptable practices, to make it harder to abuse it.
Just as an example: phone numbers should not be used for validation of anything as they are public. So companies who are requiring phones for any kind of authentication should be shamed into changing their practices, much like we learned to not trust companies that stored passwords in plain text, or use "recovery questions".
The abuse is that without sufficient guardrails a ten-digit number can be used to bother me at all hours of the day or night unless I want to be less accessible to people who I may need to hear from, not that it's used as an authentication source (which, yeah, not great, but also not the end of the world).
Out-of-band authentication aside, a company is going to retain my phone number to be able to contact me. So are my parents. Somebody is also going to inevitably leak it because security is difficult. Breaking the capabilities of bad actors, then, is a requirement. You have entirely ignored this in favor of blame-the-user rhetoric and I can't come up with a great reason why you'd blame every user for a systemic failure other than that the system cannot be repaired.
> Somebody is also going to inevitably leak it because security is difficult.
Phone numbers were and will always be assumed to be public. (Yellow pages are still a thing)
> unless I want to be less accessible to people who I may need to hear from.
You don't need to be less accessible to anyone. Your phone can and should be able to filter things for you.
And is not just a matter of setting up number filtering, I am talking about implementing changes in the application layer. One could imagine, e.g, a phone app that only rings if the caller provides a secret code provided by you, effectively making you reachable by phone number (public) + caller-specific code (private). You could also make that if you have the code on your addressbook, it sends it via DTMF after the call being completed.
> other than that the system cannot be repaired.
It can be repaired, it is just that the cost of these changes might be too high if mandated for all network operators.
But even if the system couldn't be repaired, the solution is not to encourage adoption of a proprietary solution. Apple already controls way too much stuff, we shouldn't give them yet another monopoly for them to exploit.
Phone numbers work fine but we're missing solid cryptographic verification systems on top of them.
Why are registered businesses not verifiable? Or at least banks and government departments? Why can't phones hold an ID in their cloud profiles so switching numbers let's your friends auto-uodate to you?
We could be doing so much better (with the goal of making it practical to whitelist only operate).
For what it's worth my solution which may not work for others is to set the default ring/text tone to "None" and then add custom ring/text tones in my address book on my little throw away flip phone. It works great for me personally. I never get distracted by bots and just mass delete their messages without even looking at them when I get around to it. This method probably will not work for people glued to their phones.
An android solution is to only ring/notify the phone for people in your contacts. It's easier than giving individuals a ring tone as unknowns get the silent treatment by default. Basically just whitelist instead of blacklist.
I'm considering doing that to my personal email. Default deny, whitelist known contacts, auto delete the junk mail folder. If I didn't have friends and family using them, I'd just outlook.com and gmail.com outright. It's frustrating how much spam they send.
