You might want to use the term "single-purpose number" or something similar. Burner phone is colloquially used as a term for non-registered/anonymous phones, which this isn't. Sure it sounds cool but people might assume that's what they are buying...
i was going to call you out for being overly precise, but given that this is literally hosted by essentially a Telecom company its a pretty valid point.
That being said, burner doesn't mean anonymous. Burner means disposable. Obviously you're not going to dispose of your account, application, and server every time you're done with the number.
It's also not even a phone. I guess its a phone application in the most minimal sense of the word..
But I agree with kchr in principle. "Burner" may not mean anonymous but it's more often than not associated with anonymous and anonymity. It's the go-to perception or association if you will.
So I think kchr and I are saying the same thing: the article is using the burner/anonymity context as a little click-bait IMO and it's not a big deal but it's a valid point.
True, but it's mostly anonymous (but not subpoena-proof). There are multiple mobile apps that refer to themselves as "burners" (burn the number) but the same caveat applies.
Any entity that is either subject to CALEA, or behaves as if it's subject to CALEA, is not your friend.
Note that Twilio, although not subject to CALEA, still behaves as if it is, bending over backward to honor any and all "lawful requests" for customer information, and requiring PII on account signup: https://www.twilio.com/legal/law-enforcement-guidelines
A valid search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel Twilio to provide the contents of communications sent or received through Twilio’s products or services.
How utterly unreasonable. Yeah, the man is totally trying to keep you down through Twilio.
If you're not a member operating under the criminal or civil justice system in the United States, it might be anonymous enough. Anonymous "enough" is all you'll usually get anyway. If you want to get technical, there's no such thing as true anonymity. Of course, whether or not "enough is enough" is, as always, going to depend on your threat model.
> The claim was that Twilio was "mostly anonymous", which isn't true.
If you accept that anonymity isn't a purely true/false proposition, which you are doing by using the word "mostly," having your identity only available to law enforcement after a court order has been issued seems like a textbook instance of "mostly anonymous."
Possibly? In this sort of continuum of anonymity we're talking about, that's probably a lot more anonymous (but it isn't fully anonymous unless you're paying someone else to buy the phone for you in a different city, and they don't know who you are, and probably some other things I'm not paranoid enough to think of).
It's still fine to say Twilio is "mostly anonymous," and objecting to that - that Twilio is "mostly anonymous" - on the basis that law enforcement can find out who you are with a court order is very silly. As if a service that requires due process of law to uncover any information about you is morally or practically equivalent to having your name and address in the white pages.
So should we just say it's not anonymous at all? Eliminate the whole notion of "mostly anonymous?" That's what the argument was. If Twilio isn't "mostly anonymous," what is? And why the heck does having subscriber data available via court order eliminate something from the "mostly anonymous" category?
edit: by the way, I never said '"anonymous" simply means it's not listed anywhere'
You can't see the difference between something where it's difficult to even figure out who the user is and something else where anonymity depends entirely on you trusting the service provider and them not being subject to a court order?
At a nesting depth of six or seven comments, is it really productive to reply with rhetorical questions that don't even respond to the comment? Of course I can see the difference. I just don't understand what it is about the level of privacy that comes from requiring a court order to access user information that moves a service from "mostly anonymous" to "not anonymous at all." It seems like a highly ideological rather than a practical position to take.
I'm sure we can all agree that "mostly anonymous" isn't good enough for a dissident, but holy fuck what a useless subthread you started. Or I started. Dear God.
It's ironic: the above reply is the first time you've responded to something I actually wrote. I almost admire the fact that it's impossible to tell whether I'm being trolled or whether you are actually like this.
Is the only way I can "respond to something you actually wrote" by repeating key words and phrases from your post? I reject your notion of "mostly anonymous" as essentially impossible to distinguish from "not anonymous."
It's not anonymous at all. Twilio requires PII to register an account and they log all communications. I've never used their voice services so I don't know if those are recorded but everything else is. It's fantastic for debugging and horrifying to think of what might happen if someone compromised an account.
The challenge for Twilio is that phone #s are a fixed quantity. The same #s have been circulating across lots of different companies including being used by spammers and in marketing campaigns and published across the Internet. Make sure to search the Internet for any phone # you acquire from Twilio before buying it. It may already have substantial call spam/undesirable organic traffic associated with it.
On the flip side, there are already companies out there specializing in monetizing misdials. They specifically look for phone #s that have been retired recently with a lot of volume and then take those calls and resell as leads for cars, insurance, etc.
Agreed on the challenge of working with a fixed number of phone numbers (and I say this as someone who recently moved to NYC and would love to own a 212 number).
In the industry, phone numbers that have a high-volume of unwanted traffic are called "dirty numbers." Think of a number used by someone who signed up for every sweepstakes they came across for 40 years, or maybe a number that's particularly cute (you probably don't want to have a cellphone tied to XXX-867-5309).
If we sold them, dirty numbers would be worse-than-useless for (almost all) of our customers. So, whenever a phone number is released by a Twilio customer, we reserve it for a minimum of two months before it can be purchased by another account. We also monitor each reserved number until it reaches an acceptably low number of phone calls.
If you do find yourself getting unwanted calls, you can use the <Reject>TwiML verb[^1] to create a blacklist - your account won’t receive or be charged for those calls.
We have a similar challenge in working with the fixed number of IPv4 addresses we're able to get our hands on. We offer our customers dedicated IP addresses for outbound email, but there are sometimes situations where a customer doesn't want to hold onto one forever.
We want to make sure mailbox providers (like Gmail and Hotmail) have time to realize the IP is not in use, rather than mistakenly associating it with the old customer. It makes sense to hold onto it for a while after the customer releases it before allowing another customer to purchase it. We call this the "cooldown period."
Gmail primarily uses domains for reputation, according to their docs (and in practice). I never had to deal with much IP management when sending to Gmail or G Suite recipients.
Microsoft does use the range of black holes, e.g. Spamhaus, including using their own, so etjossem is right about having to cool down a bad IP before requesting whitelisting. Almost all ESPs and black holes will reject whitelisting requests without a sufficient cool down period anyway.
Gmail is certainly ahead of its time. I haven't tried sending with IPv6 addresses but the Gmail documentation claims it will work.
Just from looking at my own mail servers and mail headers, Gmail will happily both send and receive mail over IPv6, and has for years. Same with Outlook. Oddly, despite Apple's push for IPv6 support, iCloud doesn't seem to have an IPv6-capable MX.
You're spot on about Google; they've moved forward from this approach and lean more heavily on domain-based information now. But they're a rare exception, and they have very little to go on when the domain is just "sendgrid.com" (i.e. the customer hasn't set up whitelabel yet). So we want to make sure we're always giving customers new or cooled IPs!
I'm surprised you willingly burn your own domain's reputation. Other email-as-a-service companies require a validated domain with SPF and DKIM in the DNS TXT records or use a burnable subdomain, e.g. freeaccount12345.sendgrid.com; or even better, 12345.sendgridfreeaccount.com.
Hey Greg, uneducated but interested inquirer here: Once you're inside a phone network, phone numbers can be as long as you like, can't they?
Could Twilio not arrange for a new "country code" to be assigned, possibly to an industry working group of some kind, and then make the numbers ~64 digits long? Then there should be more than enough to go around and to discard dirty numbers, and the numbers could always be made larger in the future if needed?
No, because 98% of peoples' phone systems out there expect a destination number in a specific format. You can't just have a NANPA area phone number that is arbitrarily long or has extra digits in it.
If you are way, way bigger than Twilio you can create a country code. Country codes exist for special purposes like the Iridium satellite phone network. But you cannot just create a country code for arbitrary purposes and expect it to work with the world's PSTN/SS7 infrastructure, any more than you can choose an arbitrary non-RC1918 /8 of IP space and start using it on the public Internet.
Maybe Twillio isn't big enough by themselves, but if you add in Google Voice, Plivo, all the internet VoIP providers, and all the Cable Company VoIP services, you are big enough.
Is there a VoIP trade association they are all members of? If so, the trade association would be big enough to push for a new country code for the special purpose of software-based telephony just like Iridium has one for satellite-based telephony.
If that fails, Iridium is struggling. That hypothetical trade association could acquire the country code from Iridium with special agreements to ensure that Iridium still can lease numbers for no-cost for satellite-phone purposes.
You're wrong that Iridium is "struggling", they're in the process of launching and commissioning their next generation satellite system. It is used so extensively by the US DoD, NATO militaries, aircraft based phone systems and maritime systems that it's quite well positioned. It is the only real LEO truly global coverage satellite phone network that includes high latitude polar regions. The globalstar bent-pipe network architecture and coverage is a joke.
The problem with that idea is I'm pretty sure an incoming call with a +988 (or other) country code is much more likely to be screened by Americans. I'd be like "I don't know anyone in that country". Not sure but I suspect Europeans may screen calls if not within their set of known Euro country codes.
I wouldn't pick it up because I'd be worried about fees for taking an international call. I don't know if there are actually fees though the uncertainty would stop me.
Or if you're in the local area, you can find somebody with a POTS 212 number or cellphone and pay them cash. Porting a number to a voip service is basically as simple as the bill payer writing "authorized to port to NEWSIPTRUNKINGPROVIDERNAME 2017-07-18" plus a signature on a one page scanned piece of paper.
At Penn State, we run our own phone system and have the 867 local exchange (in the 814 area code). If you dial 867-5309 from a phone on campus, it plays "Jenny" for you - an Easter Egg in a phone system!
Why not disclose prior call patterns before selling the # rather than putting the burden on developers to flag spam to receive credits?
Saving a couple of cents by getting reimbursed for the call doesn't actually solve the issue when your team is wasting their time picking up the phone only for it to be a misdial or spammer.
Wholeheartedly agree that the burden is ours -- not the developer's -- to make sure a number is clean before you buy it. We monitor inbound activity for two months before making a number available for sale. <Reject> is not for spam that comes with a number when you buy it -- it's for all the stuff that happens after you put that number out in the wild.
More than that though, we can't reveal historical patterns because we'd be violating the privacy of whoever previously owned the number.
Is it actually a problem though? I'm not a high volume consumer of numbers, but I've not had any spam on the handful of numbers I have.
The same can't be said for my physical POTS/cellular numbers.
Anecdote of one, and everything, but has anyone actually impactful levels of spam from an insufficiently cooled number that they wouldn't have had from any number in the area code?
Odds are you won't be able to figure that out. Furthermore downstream providers will often treat traffic differently, including but not limited to ratelimiting and dropping of SMS, if the number was abused by a previous owner. The things that people gloss over in an IPO...
Agree you won't be able to figure it out 100%. A couple of lines codes counting # of websites that reference the phone # will prevent some potential catastrophic results, but not all.
Slightly OT question - if I want a particular phone number, whats the preferred method of doing this? I.e., is there a way to be notified when someone gives up a certain number?
When I got my prime phone number I wrote a script that hooked into Google voice and Broadvoice's number requisition forms and looked through all the available numbers for suitable candidates every hour. I had the advantage of having many numbers that could meet my criteria, though. If there's just one specific number you want you might try calling it and seeing if you can negotiate a transfer?
Recently tried to use Twilio as a burner for registrations (project to set up unique personas online). All modern websites that require a phone number are also using a CNAM lookup and discriminate against VOIP numbers. I won't be ditching my prepaid phone any time soon in exchange VOIP services.
"Recently tried to use Twilio as a burner for registrations (project to set up unique personas online)."
Another problem with twilio numbers is that they are not mobile numbers. The reason that is a problem is that two factor authentication and other security measures are very often sent from mobile short codes and not from another actual phone number.
And no twilio number can receive any SMS from a short code. It's not possible, since they are not mobile numbers.
This means that you cannot use a twilio number for google products like gmail or google play store - you can never receive the challenge/auth numbers.
A lot of cellphone companies have this information displayed as an option for numbers not saved in your contacts. My provider (Verizon) gave me this option for a month for free when I first signed up then sent me a text that it was additional cost if I wanted to keep it. Then they started displaying that information for business lines for free. Later when I got my new phone it stopped for some reason.
Are you using a paid or a free trial account? A lot of number lookup services start returning garbage data if they suspect fraud/abuse from free users.
At the risk of sounding silly, what advantage does this provide over buying a $20 TracFone for cash and activating it without an account on TracFone.com over a public Wi-Fi?
Or, better yet, not bothering to "activate" it, but using it only over Wi-Fi, creating a new Google account, and downloading Talkatone (or the Hangouts Messenger to create a Google Voice account connected to your new account)?
Not a silly question at all. Developers certainly have a propensity to recreate the wheel for the sake of recreating the wheel -- though I think that many of us would agree that the act of creating is itself the advantage.
That said, a few things:
1. Costs less. A Twilio phone number is $1 per month (in the US). A minute of calling costs $0.01.
2. You can get a new number any time you want.
3. You get to write code.
Don't want to speak for Marcos (though he happens to be sitting 10 feet from me at the moment), but my guess is that what excites him most about writing this post isn't that other developers will copy it line for line. It's that they'll use it as a jumping off point -- that it inspires and equips developers to ship their own inventions.
For an example of this, check out the folks at Burner app who used the similar concept (pre-Kotlin) to build an entire business around this idea.
For example, this is the same model Uber uses to anonymize the driver's and rider's phone numbers. Probably when a driver signs off their number is released for a new driver to use until they sign off.
Do they use a unique number per driver per shift? If you know the rider's and driver's phone numbers, then you can connect them anonymously with just a single phone number. When I call that number, see if I have a ride in progress, and put me through to the right driver.
This assumes no pooling. With pooling you might need 4 numbers, as the driver could have up to 4 separate passengers they want to contact.
I've been doing this for a long time and there is one big, real-world, gotcha - most business (such as Uber, Lyft, Microsoft) can't send text messages to Twilio numbers. I filed a ticket with their customer support a few years ago and they basically swept it under the rug.
Or download a real burner phone app that lets you buy numbers and associate them for different things.
There are plenty on the app store for iOS and Android.
Those apps are just using a provider like Twilio on the backend. Though some of those apps are pretty feature-filled - "Burner" supports integrations via Slack, Dropbox, webhooks, etc.
Depends. A burner can be for anonymity, but can also be for disposable use. For most legitimate usage cases, like those in the OP, are covered by using Twilio.
Is it just me or wouldn't everyone just rather live in a world where privacy is respected by third parties just like a first party would. The do not call law has developed too many exceptions or needs strengthening methinks. If I'm getting a spam call on a burner number vs. my normal number, have I really saved any time? or privacy or security if the number can be reused in malicious ways?
I save numbers for 2nd factor auth, and I seem to get yahoo/msft messages from the same numbers, also github sometimes. Number reuse is definitely a problem. A PKI cert system for numbers/calls would be great to have in this case. I want to know for sure that I'm getting my 2nd factor auth code from msft, regardless of the number they're using.
Totally understand the concern there, especially since you're already paying for your cellphone.
I did something similar a couple years ago when we were shopping for a car. A lot of car shopping sites are basically lead generators for dealerships and you need to provide a number to get real info. I used a Twilio number forwarded to my cellphone.
The deluge of calls started immediately. After 48 hours, when we had all the information we needed, I released the Twilio number and incurred no further charges.
Total cost was $1 (per month) for the phone number and $0.01 per minute for the inbound calls. Upside was that my phone stopped ringing the moment I was done talking to salesmen.
Doesn't this use case eventually screw over any future Twilio customer that selects that number? I see several inbound calls to my Twilio number from random numbers that I have to pay for, even though I'm only using Twilio in a development capacity right now. Do you guys "expire" numbers from your pool that receive aggressive amounts of Inbound traffic (voice, fax, or SMS)?
At some point a few years back, my VW dealership sold my phone number to people for vehicle service contracts. Even though I sold that car 4 years ago, I STILL get at least 2-3 calls per week from different companies offering to sell me an extended warranty. How does Twilio mitigate that for us?
(Off topic, but seriously, thanks for Twilio. Ping me if you want to know how we're using it in our new startup [email in profile]. It's pretty rad.)
Just wrote a lengthy reply to this concern up above, but the tl;dr is that we sit on all numbers for at least 2 months and wait until there's an acceptably low amount of inbound traffic before releasing them back into the available number pool.
Would love to hear how you're using us. Will drop you an email. (And thank you!)
Do the numbers being held register as disconnected to anyone calling them? It seems like that might cut down on some of the junk calls by the time they're released.
It absolutely does. Twilio should provide usage history on the phone #. The best predictor of future undesired/spam calls is prior call volume. The use case described sets up terrible downstream effects.
A number having high usage history does not necessarily mean it still is being used. Providing these numbers to the customer is a neat idea, but since they only provide an indicator for how it _was_ used they won't have much value. It might also be a bad PR move since users will draw conclusions from that history that might not be true.
There isn't an unlimited package to normal users afaik. But calls are cheap.
If you only want a number for a month, thats $1.
Leaving $3.25 worth of calls at $0.05 (0.01 incoming, 0.04 back out to your cell) a minute forwarded to a mobile to match. Over an hour of calls, which I wouldn't hit on a gumtree advert.
That $4.25 presumably doesn't include the outbound leg, does it?
Twilio also do SIP registration, so you can route calls to your handset via SIP even more cheaply. (0.004 for outbound, so 0.01 and 0.004, for over 3.5 hours for that $3.25.
There are definitely usage cases for unlimited, but I don't think this is necessarily one of them unless you have a ridiculously high call volume. At that stage, I'd just use the voicemail to email Twimlet and bounce everyone into that.
Of course, the unlimited plan is only useful for a select few - if you want to plug it into your PBX and use it as a small support line (could be this case) or if you're making nightly calls for a few hours to relatives or a significant other, it's quite possibly worth it.
Depends what you're going to use it for and if you want that Twilio API really. If you just want a SIP number, it's pretty clear, but if you want all those nice API features and don't need super high volume, Twilio is probably the way to go.
Although there's something to be said for Twilio for straight up SIP too if you've got awkward fucking hardware. The Gigaset N300 is great, but the dialplan options are embarrassingly limited.
Twilio offer their own hosted Node.js (Twilio Functions - BETA) and TwiML Bins (free super-basic TwiML hosting with basic moustache templates for simple variable insertion.)
Pretty sure the whole project in the OP could have been done quicker and easier using Twilio Functions, but I get that it's more of a learning tutorial and example.
I use a combination of TwiML Bins, Functions and Twimlets to quickly chain together powerful functionality. And to work around the N300 dialplan limitations!
That is what this tutorial is advocating. Don't get me wrong this is a great project to explore kotlin and twilio. But ultimately a very expensive one if your number gets sold to a lot of other companies.
"Burner phone" is a colloquium used in the United States referring to limited use prepaid phone, separate from your main phone, that's not tied to your identity. Usually used for drug deals or other criminal behavior.
This isn't really a burner phone as the Twilio link I clicked asked me for a bunch of personal information first.
It's a common thing in US spy/criminal movies. Basically a throwaway phone number not tied to you that you might give to an informant or use in some other way to stay anonymous.
but in this case it is probably tied back to you ... (the credit card used to pay Twilio...) So it is not really a burner phone in the traditional sense
Author is building a Spring MVC application but labels it as a "Kotlin app". Is it because Kotlin is the new hotness and the Spring Framework is "old" and "uncool"?
I imagine it has more to do with the fact that simply saying "Spring app" will make most people assume it's written in Java. It would perhaps be better to say it's a Kotlin Spring app, but honestly the web framework being used is probably less important than the language it's being written in.
According to that blog entry, it just makes that data hidden on the front-end and from the API, but it still resides on your servers. Has that policy changed?
Soft-deletes, which the blog indicates that you are doing, is very different from actual deletion.
To make the distinction clear, if a log of a call or message is deleted, can it be given to law enforcement? If so, it's not truly deleted.
