And what a cute favicon!
IIRC, I didn’t have best experience using T-Mobile.
You don’t even need a zipcode if you use https://silent.link/ then you can pay with whatever crypto and have an esim where the balance never expires and it works in most of the world. I’ve used it a few months and it’s pretty good if you don’t need a phone number.
How does an esim work with no number? Data only?
Yes, suoer common travwl esims sans #
This, and because there’s no number it’s easier for them to not have KYC.
Interesting because the article says the ZIP code is required for tax purposes
Maybe the owner is outside of the US, maybe it’s OK?
Is there a reason they used an image of a phone with a screen smeared with what looks like rendered goose fat?
i think it’s fingerprints…?
Like a pun on data fingerprinting. But that’s not exactly what this service protects against.
Very impressive.
When will this service be forced to change or shut down? I think five years. Possibly less if a major case hits the news where a bad actor used the service.
seems like a boon to swatters and the shitbags of the world… sure, privacy minded people, ICE trackers etc., yeah, but also… the shitbags…
He’d sometimes come across anti-surveillance hard-liners determined to avoid giving any personal information to cellular carriers, who bought SIM cards with cash and signed up for prepaid plans with false names. Some even avoided cell service altogether, using phones they connected only to Wi-Fi.
So if this is already possible, what is his new company providing that’s new?
What’s the problem he’s trying to solve?
Signing up with a fake name is not the same as not requiring a name to sign up.
how is this not just that cape cell provider?
I used Calyx Institute for internet for a couple years while working online and living in a car. Solid company. Definitely gonna check out his out.
It appears as though cloaked wireless might be a better deal.
Phreeli offers #25/mo for unlimited talk and text with zero gigs of data per month. They give you a free 2GB at signup, but once you are done with that, you have to pay $20 for 5GB. That $25 does include government extortion and fees.
Cloped wireless also offers a $25 per month plan, but does not include extortion and fees in the price, so it would be more like $32. They give you unlimited talk and text with 500 megabytes of high-speed data and unlimited low-speed data after that.
You can pay both of them with Monero, which is why I’m definitely going to switch, but so far, I think I’m going to be going with cloaked wireless instead. Because they offer a lot of the same guarantees, but for a lower price (after data is added to phreeli)
Can someone with experience doing ZK Proofs please poke holes in this design?
Can someone with experience doing ZK Proofs please poke holes in this design?
One doesn’t need to know about zero-knowledge proofs to poke holes in this design.
Just read their whitepaper:
You can read the whole thing here but I’ll quote the important part: (emphasis mine)
Double-Blind Armadillo (aka Double Privacy Pass with Commitments) is a privacy-focused system architecture and cryptographic protocol designed around the principle that no single party should be able to link an individual’s real identity, payments, and phone records. Customers should be able to access services, manage payments, and make calls without having their activity tracked across systems. The system achieves this by partitioning critical information related to customer identities, payments, and phone usage into separate service components that communicate only through carefully controlled channels. Each component knows only the information necessary to perform its function and nothing more. For example, the payment service never learns which phone number belongs to a person, and the phone service never learns their name.
Note that parties (as in “no single party”) here are synonymous with service components.
So, if we assume that all of the cryptography does what it says it does, how would an attacker break this system?
By compromising (or simply controlling in the first place) more than one service component.
And:
I don’t see any claim that any of the service components are actually run by independent entities. And, even if they were supposedly run by different people, for the privacy of this system to stop being dependent on a single company behind it doing what they say they’re doing, there would also need to be some cryptographic mechanism for customers to verify that the independent entities supposedly operating different parts were in fact doing so.
In conclusion, yes, this is mostly cryptography-washing. Assuming good intentions (eg not being compromised from the start), the cryptographic system here would make it slightly more work for them to become compromised but does not really prevent anything.
The primary thing accomplished by cryptography here over just having a simple understandable “we don’t record the link between payment info and phone numbers, but you’ll just have to trust us on that” policy is to give potential customers a (false) sense of security.
If they use a payment processor, doesn’t that become the second service component?
If a payment processor implemented this (or some other anonymous payment protocol), and customers paid them on their website instead of on the website of the company selling the phone number, yeah, it could make sense.
But that is not what is happening here: I clicked through on phreeli’s website and they’re loading Stripe js on their own site for credit cards and evidently using their own self-hosted thing for accepting a hilariously large number of cryptocurrencies (though all of the handful of common ones i tried yielded various errors rather than a payment address).
Stripejs is PCI compliant via tokenization. That is to say, your PII does not touch the merchant’s site. The only thing the merchant sees is random placeholders.
So it sounds like this might work, then?
Please can he start working in Europe too? We need to support his resilience.
What stops anyone outside the us from using this service? The postcode doesn’t need to be verifiable, if needed, just use a VPN?
Great idea, we have some slight difference in frequencies but probably worth trying if the sim cards allow international roaming without breaking the bank.
I was just thinking as a phone number for all those services that ask for phone numbers to sign up.
I have to read this all soon. But I hope something like this shows up for Canada.
In Canada? Not happening. Canada is chasing the EU and the UK in everything related to chat control and all that crap.
Unfortunately.
Yeah, but Canada is just one of the next in line, we’ll all be battling that eventually, with very little chance at winning too. It sucks.
Just use Session.
care to elaborate?
With a data-only SIM card.
They think my boss is gonna switch to session just to send me messages.
They also think NOT about the privacy implications behind using cellular services in general, even just for data (which using a different messaging app doesn’t help).
oh it’s nick from Calyx 😊
Is that good or bad?
It’s a good thing! he genuinely cares about user privacy. The Wikipedia entry had some info worth reading
That’s very good.
That’s very good. https://en.wikipedia.org/wiki/Nicholas_Merrill
Nick Merrill! This guy is awesome! I met him a few times back around 2014 when I sold him a bunch of old Dell server racks, presumably for use by his organization Calyx. This was a few years after his case against the FBI ended and he was able to talk freely about it. I’d been following the case previously so it was like meeting a personal hero, even though we were just manually humping Dell pizza boxes into his van. Legit guy, really cares.
Much respect to Nick for fighting for eleven years against the gag order he received, but i’m disappointed that he is now selling this service with cryptography theater privacy features.
