> Turns out that phone numbers, whilst also subject to flux, have better long-term congruence to identity, and thereby help us to detect account duplication and manage it.
What service do you offer? Because I would never give a company where I wasn't paying for the service my phone number. How do you guarantee you won't misuse it or have ample protections in case of a breach?
We're a two-sided network for sports competition management and work with athletes, clubs, associations, and governing bodies. Users pay real money for our services, we don't carry ads or even tracking pixels, and our privacy policy details exactly how, when and to whom PII is disclosed.
The broader point is that collection of phone number isn't intrinsically a bad thing, it's rather the usage and trust level that matters. Judging by the parameters and caveats in your question, you have a similar perspective.
>The broader point is that collection of phone number isn't intrinsically a bad thing
Phone numbers as usernames is intrinsically bad for user data security at the meta level. If a service requires a verified phone number to signup, it becomes a de-facto username.
Let's say a fetish dating site is partially breached, and the usernames are emails. Now your let's say your database is fullly breached, with the usernames as phone numbers and emails included. Guess what happens next with the intersection of those two datasets?
That is a general problem even if the phone number is not the username and is not limited to phone numbers, but also any data that is referenceable by email addresses, which is to say almost every unit of PII in almost every online system that exists today.
The implication being that if a system requires a verified phone number to use, then breaches are intimately tied to an individual's real identity. This is far less true of email addresses.
Your remarks only make sense to me if you're trying to remain entirely anonymous on a fetish dating system whilst simultaneously disclosing personally identifying information for reasonable use, and I can't reconcile these two objectives.
At the meta level: I use a variety of online systems that I trust to varying degrees, from high to low. Currently I can control my level of information disclosure by using different email addresses. If these systems now require a verified phone number, I then have to trust them all at 100%, tied to my real identity.
So a SaaS website requiring verified phone numbers seems benign on the surface. However if this becomes widespread then the overall identity landscape is compromised for the user.
At the system level: This is essentially the pseudonym-vs-realname debate. Twitter is the perfect example. Let's say I open an account to whisteblow on my government's nefarious activities. Now if there's a breach or state interception (eg China), they know exactly who I am and where to find me.
Well then this is going to bake your noodle: we also ask for correct name, date of birth, and emergency contact details, because those are also useful/necessary for our business.
Fair enough - your product is clearly operating at a high level of trust. My concern with required verified phone numbers is if they become a widespread pattern, I now need to treat eg my Reddit porno alias as if it is linked to my street address (in case your system and Reddit become compromised).
Back to the context of Twitter, this is mitigating the troll system problem by introducing a user identity one.
> our privacy policy details exactly how, when and to whom PII is disclosed.
And it's your right to simply change that privacy policy whenever you see fit, and you still have my phone number. There is nothing legally and systemically that revokes your right to that.
> The broader point is that collection of phone number isn't intrinsically a bad thing
It's intrinsically a bad thing because our general trust model is simply fragmented and thus poor. See my point above.
What service do you offer? Because I would never give a company where I wasn't paying for the service my phone number. How do you guarantee you won't misuse it or have ample protections in case of a breach?