This is cool. I've recently been thinking about getting a "burner" number for sharing outside my immediate circle.
Same for email - the idea would be to have a phone/email for public consumption and then a separate address and number for my inner circle of family/friends.
Same. Though for email there are good services like Fastmail (and likely many others) which already offer this and other benefits for a nominal subscription fee.
I haven't implemented this idea yet, but what stops us from just buying Twilio credits, getting a number through them and then writing a bit of glue code to their API to pull down SMS messages (for things like 2-factor codes, etc) and route them wherever we find personally convenient? Maybe Twilio is also selling our customer data paired with these numbers to data brokers, though, IDK. It's just a fleeting idea I've had.
Thank you! I'm going to check this out. A question about a comment you made elsewhere herein:
> My caveat about this is some services will silently ignore you if you try to use a virtual number. It's more useful for IRL where you don't want to throw your real number around much.
How, specifically, do other services detect this? Is it like with IP address space where it's possible to determine things like "this C block belongs to Entity X, Inc"? Are you aware of mechanisms to avoid this detection/blocking that don't require using a "real" number.
> How, specifically, do other services detect this?
I don't actually know specifically. I assume there are two different ways:
- The service is using Verify / Authy, which is owned by Twilio so likely Twilio themselves discourage it
- Looking up the number either through Twilio or some sort of central subscriber database. All virtual numbers are described as virtual numbers.
> Are you aware of mechanisms to avoid this detection/blocking that don't require using a "real" number.
Definitely gets into ethically gray areas since that would be super useful to nefarious people. I don't actually know for sure. I know from the recent Blizzard mobile 2FA controversy that this issue expands to also prepaid phone numbers.
So I don't know of a definitive way to get around it beyond using a postpaid number.
Somewhat related, near the end of my above mentioned service, I had pivoted into trying to launch a "21st century phone service" complete with SIM cards provided by Twilio.
The issue? They were still considered virtual numbers. At the time, in Twilio's defense, I was somewhat misusing their service because their SIMs were intended for IoT purposes not actual cellphone usage. That's all to say, it's likely provider / subscriber level vs something you can individually spoof.
> what stops us from just buying Twilio credits, getting a number through them
I was considering exactly this, or potentially getting a second mobile number via eSIM on my phone (which feels a bit more "permanent" but that might be delusion...)
I feel like we have very different expectations of what recruiters can and will do with personal information. I'm from within the EU, you?
Not that they don't share your email to other persons working for the same company (I've had some name I never heard of from RecruitCorp email me seven years after I last talked to someone from RecruitCorp), or I could imagine they keep their contacts when moving into / out of self-employment, but that's a far cry from public.
As someone in the UK and used to dealing with UK-based recruitment agencies, I didn't understand the recruiter hate until I had my first experience with one of those shitty "agencies" that claims to be in the UK (or whatever they're targeting) but is actually ran from a third-world call center right next to the tech support scammers. When it comes to those, obviously all bets are off when it comes to your personal information, and the recruitment industry in the US seems to be saturated with this scum much more so than in the EU.
However, even legitimate recruiters can be a problem if you get too many of them. I recently had to rotate my business number because I was getting pretty much one call a day from someone wanting to "have a chat". They're all nice, courteous and seem to know what they're doing, but the sheer quantity became a major problem especially when you're already fully booked and aren't open to new business.
Not worth it. I have a Google Voice number (free, easy, good UX). Now it’s a constant juggle of “which number did I give”. Especially since you presumably have already given away your current number. Even if you go all-in on burner number, there’s a question of longevity and risk. Do you give it to government? Do you give it to banks? Etc
> throwing a given problematic number away would already solve so much.
The search space of valid numbers is very small compared to email. A throw away number is surely a number that has already been trashed by dozens of users before you. It’d be useless unless you can make everyone forget it between users.
My personal cell number is 20 years old and gets almost no spam besides a rare robo call. Any throw away number I’ve acquire has a sordid history of being used as a honeypot it seems because it’s a cesspool.
I like what Mozilla has been doing with their services, but they have built a very confusing business model of many micro services that I just don't see a ton of people signing up for as independent subscriptions.
Why not bundle them all as one membership? Pocket, Mozilla VPN, Relay, Monitor, and whatever services they can scrape up premium options and features for to give them value?
i would like this too. i think you can do it with apple email relay.
currently i have example.com as my email, which i use with mailbox.org, would it be possible to keep using it with mailbox.org and then for mozilla to allow it to be used for email relays? e.g.
I assume this means you have an MX record at example.com pointing to your/mailbox.org SMTP server? AIUI, a sending MTA will look up the MX record for example.com by preference order and will deliver emails to the first server that accepts the connection.
So it may depend if you can configure your mailbox.org account/server to reject connections from servers trying to send mail to unknown addresses? Then the sending MTA server might "fail over" to the Relay server instead?
Great to hear!
One suggestion; I think it would be great to have an integration with smartphones Contact apps. This way a user can leverage autocomplete and do not disturb rules on mobile.
I can't tell if /s is missing or not but Mozilla had a standalone password manager eventually it changed its name to Lockwise, and once all my passwords were in it, they sunsetted it even quicker than a google product.
It's still a thing, they only got rid of the standalone app. Now it's just part of the actual Firefox app though you can apparently use it to autofill in other apps on android at least.
The only way to really prevent it is to allowlist specific numbers you know will call the number and send "Number disconnected" signals for the rest. Eventually, the number gets quieter until it can be reached again.
The ideal setup would be to have a private number that you never give out that denies anyone not on your allow then use throwaway numbers you can turn on and off as you need them.
I used to have it where I would give numbers out then only have them 'active' when I was expecting a call.
My original hypothesis was that the numbers were harvested, my new one (and likely correct) is that numbers are randomly dialed.
> The only way to really prevent it is to allowlist specific numbers you know will call the number and send "Number disconnected" signals for the rest.
Yes, recently I was on a spree, receiving roughly 40 calls a day, I had to set my phone to not accept calls outside contacts, but then what is even the point of having a phone number at all.
I think the idea is to give your real email and phone number to real friends and family; then you use the relayed one with online services who might sell or lose the data. Then you could presumably ditch the related info after the spam gets to be too much? Or maybe you just do it to be more anonymous?
But - originally - you give a number (be it real or Mozilla or "burner") in order to be contacted by someone (and then somehow it was leaked to the robocallers).
The moment you change or abandon the number (be it Mozilla or "burner") that someone won't be able to contact you anymore.
But if you keep it, with the burner at least that someone will still be able to call you at the end of the month (when the the robocallers will have already eaten the 50 minutes allowed by Mozilla).
But if you can use a unique number per service, you now know which company is selling your PII and you could address that either by switching to a competitor or, depending on the legal specifics, sue/expose them.
That's a shame, it wasn't entirely clear from the article but I assumed it must be multiple numbers since it didn't seem to me like it would be all that useful otherwise.
It would kind of make sense if you could "open" the relay when you need to 2fa, and then you close it again after. With this usepattern you would only need one alias, that would be closed 99.9% of the time.
Maybe you use it as part of a multi-layered approach to personal digital privacy.
Without having hired a lawyer to dissect the TOS and Privacy Policy for Mozilla's new service here, I'm going to assume for the sake of argument that they will not sell the data to brokers. If that is true, then it's one more way to try and keep your true PII out of circulation. For instance, maybe you pair this with a high quality VPN offering, browser plugins or whole-network based stuff like pi-hole/etc along with also using aliased credit card numbers through services like Privacy.com or other similar offerings. Then when you "sign up for an account" or "make online purchase" you could use name like John Smith, private/aliased email, etc etc... This just puts distance between your activity and your true identity.
With all that setup you have at least _some_ chance of evading a decent amount of the persistent and invasive tracking that is beginning to be top of mind for many people.
Service-unique email / username + service-unique credit card is good enough for, I'd estimate, 95% of people.
You are trying to avoid wholesale scoops of info and automated credential stuffing. If your threat model is people specifically seeking out and targeting you: godspeed.
> Also, probably wont work for services that require a phone number but don't accept VOIP numbers.
I'm running into an increasing number of these, and it's annoying because I use Google Voice as my primary phone number. Using VOIP is important for me because I travel frequently between the US and EU.
Aside from being inconvenient for me, I take blocking VOIP as a red flag that the service might want to misuse my phone number.
I effectively did this with Google Voice back when.
I would give marketers my Google voice number, it had better interface (and on cloud instead on device) contact management. I could send non favorites to a voice identification prompt (voiding all slow recordings or agents making multi calls that have a pickup delay) and for the final small percentage voice transcripts that I could determine if important.
Or for craigslist, I could forward calls to a phone for a short period of time, then turn off forwarding.
I still use google voice like that, give it out when I absolutely have to give a phone number (because they verify by text or whatever) but have the app set to silent.
Google does a really good job of filtering out the telemarketing calls so the rare message is usually valid.
Pretty much the only time I have to open the app is this one stupid company (coughWalmartcough) which insists on doing 2FA via text every single time I want to check the balance on my prepaid debit card.
Totally agree, this should be a telephone version of a spam folder. I have a legacy google voice plan that I use for this, but would be happy to pay a couple bucks a month to Mozilla for a comparable service.
> If you find yourself receiving too many unwanted spam calls or texts, you can easily turn it off for all phone numbers or select the specific ones you want to block.
So it sounds like if your aliased phone number has issues, you can block those specific ones. In theory, you can do that now from your phone, for individual numbers, but it isn't applied if you switch devices. So it's a very moderate improvement.
Additionally, your existing phone number is probably already overwhelmingly accessible to robo-callers, i.e. the cat is already out of the bag.
Yeah, I'm a little confused on the use case for this. I guess I could put all of the annoying services that demand a phone number for totally-only-security purposes-trust-us into a "bucket" number. It doesn't sound like it is a feature but I'd prefer that calls and texts to that number just be outright ignored unless I've turned the number on temporarily for verification. But since they have started rejecting VOIP numbers for verification, and now even prepaid phone numbers (!) for verification I feel like this probably won't work for that either.
I personally only use prepaid cards so a service that makes them appear like post paid might be useful on its own though.
The fact that you only get one number and you can't change is seems to blunt some of the utility. Ideally you'd want a separate number for each service and to have them all turned off, to block identifying you as the same user of different services. Not quite as easy to do with finite numbers as with email address suffixes.
I wonder if you could use this like 5sim or other shady text verification services by just remaking a monthly account. I suspect that is not the idea here and probably forbidden, otherwise they'd let you change numbers.
This is definitely just the first step; we've got lots of ideas for additional protections we could add, and are monitoring usage and feedback [1] to inform our roadmap.
What this first version gives you is a way to add a tier of trust to your phone number: your Relay number for untrustworthy partners, and your true phone number for important things. That means that data leaks of untrustworthy services can no longer be linked to the important ones through your phone number. Additionally, if you receive a phishing call to your Relay number, that's an extra red flag that it might not be who they say it is.
I'm not terribly familiar with Google Voice (it also isn't available in my country...), but they look similar in terms of functionality at this point in time. For me personally, the primary reasons to go with Relay would be that I'm already trying to move away from Google as much as possible for privacy reasons, that I'm already using Relay for email masking, and that Relay is explicitly focused on the privacy use case and will keep evolving in that direction.
I can relate to the privacy-focused goal of getting away from google however Google Voice is free. Sadly I think having a competing free Google product that accomplishes most of the same things is going to hurt adoption of the Firefox relay product (which is paid)
>This is definitely just the first step; we've got lots of ideas for additional protections we could add, and are monitoring usage and feedback [1] to inform our roadmap.
Yes, and I don't doubt in the least that it may become the third best thing in life after icecream and sliced bread, but right now its usage cases and advantages seem not clear.
Maybe it could be useful to people that lose/get stolen their phone/number, since this mask is "centralized" you change the connected "real" number to a new one only in one place instead of updating several places where the old real number is stored.
>Additionally, if you receive a phishing call to your Relay number, that's an extra red flag that it might not be who they say it is.
I still don't understand.
If I use this relay, giving this mask number to three different organizations for - say - 2FA or emergency recovery or similar, any call or SMS to that number must come from one of the three (untill it is leaked).
Once it is leaked it may still come from any of the three or from someone who is attempting a phishing call, what is the difference against a "main" number or a spare "burner" one?
Like email masks, we recommend using the phone mask for untrusted organisations. In other words, if you need to provide a phone number to get a shopping coupon, use your Relay number. If your bank wants to do 2FA via SMS (please no, but you know how banks are...), provide your true number.
Now, if you get a phishing attempt that looks like it's from your bank, but it's sent to your Relay number, that should be an additional sign that it's unlikely to actually be from your bank.
Still, I see no differences with a second number/burner phone.
For e-mails, a strategy I used and that worked (at a time I had a domain with its own mail server) is to give a "non-existing" e-mail, like specificsite@mydomain.com, the mail server was set to have a "catch-all" account, so specificsite@mydomain.com would arrive (together with messages to anything@mydomain.com, etc.) to this catch-all inbox, while identifying by the address used the "source".
With telephone numbers, a possibility would be to fake a PBX with internal numbers (no idea if it is feasible) i.e. if the relay main number is 123456789, have it working with added "internal" numbers, such as 123456789101, 123456789102, etc.
> Still, I see no differences with a second number/burner phone.
That's because that's essentially what this is :)
And yes, that's how Relay for email works (although instead of using mydomain.com, you use mozmail.com, so your different email masks can't be linked together).
We'd definitely like to support a similar pattern for phones, but we still have to figure out a way to do that. Using extensions is one thing we'll be looking at (was also suggested at [1]), but a challenge there is that many services have rather strict validation rules on phone numbers that will disallow that. But it might still be worth it, so stay tuned!
If y'all are interested in something like this, let me know. I wrote a service exactly like this [0] and it sort of flopped because the marketing plan was bad and I struggled to crack my (poorly chosen) target market of 'privacyfreaks'.
If you want to re-co-found with me on marketing / sales, hit me up: maddie+hn[at]qnzl.co. I tried some pivots, sucked at marketing it, I occasionally get asked about where it went.
---
If anyone wants to run their own instance using Twilio, I open-sourced the basic structure of my previous service [1] so it should be fairly plug-and-play to do this cheaper ($1 per number + small usage fee) and for more numbers.
My caveat about this is some services will silently ignore you if you try to use a virtual number. It's more useful for IRL where you don't want to throw your real number around much.
ya that's useful. I do like this service. I have noticed more and more that people are asking for phone numbers for app registration and even in person I have seen this. A phone number to me is private and personal.
The firefox service is priced well but 75 texts and 50 minutes of voice is fairly limited. The burner phone services that exist are too sketchy and too expensive for my taste.
I don't like marketing or sales but if you could market yourself as a privacy focused, Free/Libre solution that wasn't a sketchy fly by night operation and offered more than a closed source phone app I would subscribe.
Twilio itself seems to be oriented towards businesses and not individuals which is why I did not sign up with them.
This service seems interesting for people who are establishing net new phone numbers, but for those of us who have existing numbers they've been using, the barn door is already open. This wouldn't get us off existing lists.
Isn't this Google Voice which was once Grand Central (12 years ago)?
Forward your phone number to a different number through gvoice. For email, add a '+' symbol to your email address and filter them out if they get abusive.
> this feature is available in the U.S. and Canada
Bummer. Before reading this, I was so excited, since robocalls and sketchy SMS messages with malware payloads have plagued my phone for years, and now it's not available to me (I'm in the EU).
> Each month you will receive up to 50 minutes for incoming calls and 75 text messages. All phone number masking plans will include unlimited email masking. The cost is $3.99 a month for an annual plan or $4.99 a month for a monthly plan.
So you pay $4-5 per month and you're still limited? I was expecting there would be some free amount and after that it's paid.
Google Voice numbers are reported as landlines, there seems to be some way to verify that a number is actually mobile. Very likely that Mozilla's report as landline. Banks (capital one) have definitely balked at my google voice number.
What these burner numbers are great for are rewards programs. I sign up for every one I can with my GV number!
I'd be very interested to know if they work for SMS-only applications. I guess it's only $5 to try and find out. If anyone has tried, please report back!
When I look up my Google Voice number, it shows up as VoIP (not quite landline) with the carrier being Grand Central - SVR. It seems likely that Mozilla's service will similarly show up as VoIP. Some places are filtering VoIP numbers from their SMS verification schemes, but most places will let you sign up for promotional texts from a VoIP number.
There was something recently around a game which was able to detect if a user's phone number was on a prepaid or postpaid plan. I had no idea carriers share this information with others.
Maybe this is a good place to ask: I'm a British expat living in the USA, and for a while now I've wanted a service which provides a British phone number, and forwards calls and texts to my US number, while also allowing me to send texts and make calls "from" the UK number if I want to.
It looks like I might be able to do this with Twilio, but I'm not a developer, and quickly got frustrated trying to build what I wanted.
Is there a service that will do this for me at a reasonable price?
Check out Andrews & Arnold. They provide real 07 numbers that aren't classified as VoIP by most providers, so they will actually work fine for most online services too.
(my company resells these with some add-on services on top, but for your use-case you're better off just going to the source directly)
I was tempted by this but I've heard they'll shut down your service if they figure out you're outside the UK? I still have a UK number at the moment but if I could port to A&A without worrying about this I totally would.
Maybe just reach out, they take pride in their support and are very accommodating. If their concern is about payment, you may get around that by offering to prepay for a year's worth of usage upfront.
> Currently, this feature is available in the U.S. and Canada. As we roll out this feature, we will explore how we can expand this offering to outbound calls and texts, as well as to other regions.
(Edited to add:) And I feel your pain - I'm a Relay engineer in the Netherlands, and I can't even use this myself... But unfortunately, it's not easy to offer this elsewhere at a reasonable price, so we're still figuring that out.
This looks nice. I'm currently using Tutanota and love it. Seems like it would be possible to connect this with Firefox Relay, digging into it a bit more!
It would be great if someone could package several virtual services into one app. Virtual cc number, virtual email address, virtual phone number all with one click. That way I can sign up for some in-store membership with working info, get the discount, and never worry about my info being compromised.
I use Fastmail for what they call Masked Email, and Privacy.com for unique debit cards for shopping online. They both integrate with 1Password. So when I sign up for a new account, 1Password generates a Masked Email, a random password, and a unique debit card, and saves it all, and I LOVE IT!
> Next, you will be prompted to verify your true phone number where the calls and texts will be forwarded to via text message. After verification, we will generate your phone number mask.
Doesn't feel necessary to me really. I've never ever been in the need for an incoming call, just for sms. And I'd much rather have them sent to an email rather than my actual phone too (and then I wouldn't need to share my phone number with this service either). That would be a real use-case for me. But paying a monthly subscription for that twice a year sms isn't that great either.
I currently have a pre-paid sim and an old phone for this usecase. It kind of sucks and I don't have access to it when I'm not home (sure, there are ways to sync this but haven't felt a big enough need for it yet).
I think TextNow offers a better solution and I've been using it to do this for quite some time and it doesn't require any kind of forwarding. I can send/receive calls and messages directly from within its app and recycle numbers at any time - all for free (ad supported). Calls are of great quality too and it even includes voicemail. If I really like a number and want to lock it (to also receive 2FA codes), it's a yearly $7 fee. Works with area codes in US and Canada.
I think there are other options like Fongo and probably a dozen other similar services that already have been doing this for some time. Not really seeing the value proposition of going with the Mozilla option here. Am I missing something?
I silently miss so many incoming calls with TextNow and from reviews it seems I'm not the only one, but I don't really know another option for a Canadian number.
I have heard similar things from friends that use it on iOS but on Android, I haven't missed any call I was expecting. Even when I've lost connection to data (e.g., in an elevator or something) and a call was made, at least I see the missed call notification after my data was restored. Fongo is another option for a Canadian option.
Spam calls are not the reason it is bad to give your number out; it isn’t related to calls at all.
Your number is your permanent cross-app, cross-company tracking identifier. It is a lookup key for your name, address, income bracket, email, spam history, etc.
This is why so many apps require it during signup.
Just set up an email service and everything and start offering similiarities to Google's web ecosystem already. Mozilla doesn't need to worry about devices or a cloud division, or even a search engine (yet? Brave has one).
The slower they are to realize they need to do all that to stay relevant, the faster Firefox's market share shrinks
133 comments
[ 2.8 ms ] story [ 188 ms ] threadSame for email - the idea would be to have a phone/email for public consumption and then a separate address and number for my inner circle of family/friends.
I haven't implemented this idea yet, but what stops us from just buying Twilio credits, getting a number through them and then writing a bit of glue code to their API to pull down SMS messages (for things like 2-factor codes, etc) and route them wherever we find personally convenient? Maybe Twilio is also selling our customer data paired with these numbers to data brokers, though, IDK. It's just a fleeting idea I've had.
Go wild. Gets you like 90% of the way there.
> My caveat about this is some services will silently ignore you if you try to use a virtual number. It's more useful for IRL where you don't want to throw your real number around much.
How, specifically, do other services detect this? Is it like with IP address space where it's possible to determine things like "this C block belongs to Entity X, Inc"? Are you aware of mechanisms to avoid this detection/blocking that don't require using a "real" number.
I don't actually know specifically. I assume there are two different ways:
- The service is using Verify / Authy, which is owned by Twilio so likely Twilio themselves discourage it
- Looking up the number either through Twilio or some sort of central subscriber database. All virtual numbers are described as virtual numbers.
> Are you aware of mechanisms to avoid this detection/blocking that don't require using a "real" number.
Definitely gets into ethically gray areas since that would be super useful to nefarious people. I don't actually know for sure. I know from the recent Blizzard mobile 2FA controversy that this issue expands to also prepaid phone numbers.
So I don't know of a definitive way to get around it beyond using a postpaid number.
Somewhat related, near the end of my above mentioned service, I had pivoted into trying to launch a "21st century phone service" complete with SIM cards provided by Twilio.
The issue? They were still considered virtual numbers. At the time, in Twilio's defense, I was somewhat misusing their service because their SIMs were intended for IoT purposes not actual cellphone usage. That's all to say, it's likely provider / subscriber level vs something you can individually spoof.
I was considering exactly this, or potentially getting a second mobile number via eSIM on my phone (which feels a bit more "permanent" but that might be delusion...)
Also LinkedIn will give away your contact details.
Your Bank or any service important to you may get hacked and your phone number leaked.
Not that they don't share your email to other persons working for the same company (I've had some name I never heard of from RecruitCorp email me seven years after I last talked to someone from RecruitCorp), or I could imagine they keep their contacts when moving into / out of self-employment, but that's a far cry from public.
However, even legitimate recruiters can be a problem if you get too many of them. I recently had to rotate my business number because I was getting pretty much one call a day from someone wanting to "have a chat". They're all nice, courteous and seem to know what they're doing, but the sheer quantity became a major problem especially when you're already fully booked and aren't open to new business.
Phone numbers don't quite have the same dynamic, but just having the ability of throwing a given problematic number away would already solve so much.
The search space of valid numbers is very small compared to email. A throw away number is surely a number that has already been trashed by dozens of users before you. It’d be useless unless you can make everyone forget it between users.
My personal cell number is 20 years old and gets almost no spam besides a rare robo call. Any throw away number I’ve acquire has a sordid history of being used as a honeypot it seems because it’s a cesspool.
Why not bundle them all as one membership? Pocket, Mozilla VPN, Relay, Monitor, and whatever services they can scrape up premium options and features for to give them value?
currently i have example.com as my email, which i use with mailbox.org, would it be possible to keep using it with mailbox.org and then for mozilla to allow it to be used for email relays? e.g.
name@example.com goes to mailbox.org
3859dhtog@example.com goes to firefox relay
(not currently ofc, but a future thing)
So it may depend if you can configure your mailbox.org account/server to reject connections from servers trying to send mail to unknown addresses? Then the sending MTA server might "fail over" to the Relay server instead?
https://github.com/mozilla/fx-private-relay/issues/new
FWIW, when you get a Relay number, we text you a contact card for it, so you can save it into your phone's contacts app.
That would be cool; then I could unsubscribe from all of them with a single action.
Why is this branded "Firefox"? This is apparently a Mozilla project, unrelated to their web browser.
The only way to really prevent it is to allowlist specific numbers you know will call the number and send "Number disconnected" signals for the rest. Eventually, the number gets quieter until it can be reached again.
The ideal setup would be to have a private number that you never give out that denies anyone not on your allow then use throwaway numbers you can turn on and off as you need them.
I used to have it where I would give numbers out then only have them 'active' when I was expecting a call.
My original hypothesis was that the numbers were harvested, my new one (and likely correct) is that numbers are randomly dialed.
That's my tactics via an app.
Now:
1) You give your real number to someone.
2) Somehow your real number goes into a list used by robo-callers.
3) A robo-call arrives on your real number, disturbing your peace.
After:
0) You give Mozilla 3.99 or 4.99 US$/month
1) You give your Mozilla number to someone.
2) Somehow your Mozilla number goes into a list used by robo-callers.
3) A robo-call arrives on your Mozilla number, that promptly relays it to your real number, disturbing your peace.
You cannot change your Mozilla number, so it is basically an "alias" number, where is the advantage?
Stopping paying so that the number becomes invalid?
But then you won't be reachable anymore by the people you gave that number to.
It’s like the concept of a “burner phone” I think
The moment you change or abandon the number (be it Mozilla or "burner") that someone won't be able to contact you anymore.
But if you keep it, with the burner at least that someone will still be able to call you at the end of the month (when the the robocallers will have already eaten the 50 minutes allowed by Mozilla).
> You only get one phone number mask at this time. Once you choose your phone number mask, you cannot change it later.
That makes it impossible to use as a "burner" number.
Without having hired a lawyer to dissect the TOS and Privacy Policy for Mozilla's new service here, I'm going to assume for the sake of argument that they will not sell the data to brokers. If that is true, then it's one more way to try and keep your true PII out of circulation. For instance, maybe you pair this with a high quality VPN offering, browser plugins or whole-network based stuff like pi-hole/etc along with also using aliased credit card numbers through services like Privacy.com or other similar offerings. Then when you "sign up for an account" or "make online purchase" you could use name like John Smith, private/aliased email, etc etc... This just puts distance between your activity and your true identity.
With all that setup you have at least _some_ chance of evading a decent amount of the persistent and invasive tracking that is beginning to be top of mind for many people.
You are trying to avoid wholesale scoops of info and automated credential stuffing. If your threat model is people specifically seeking out and targeting you: godspeed.
I can already do that on my phone, and it is kind of useless due to caller-id spoofing that most robocallers use.
Also, probably wont work for services that require a phone number but don't accept VOIP numbers.
I wish the article addressed these issues.
>I can already do that on my phone, and it is kind of useless due to caller-id spoofing that most robocallers use.
Yes, I cannot see in which way this "black-listing" on Mozilla is different/better.
I'm running into an increasing number of these, and it's annoying because I use Google Voice as my primary phone number. Using VOIP is important for me because I travel frequently between the US and EU.
Aside from being inconvenient for me, I take blocking VOIP as a red flag that the service might want to misuse my phone number.
I would give marketers my Google voice number, it had better interface (and on cloud instead on device) contact management. I could send non favorites to a voice identification prompt (voiding all slow recordings or agents making multi calls that have a pickup delay) and for the final small percentage voice transcripts that I could determine if important.
Or for craigslist, I could forward calls to a phone for a short period of time, then turn off forwarding.
Google does a really good job of filtering out the telemarketing calls so the rare message is usually valid.
Pretty much the only time I have to open the app is this one stupid company (coughWalmartcough) which insists on doing 2FA via text every single time I want to check the balance on my prepaid debit card.
> If you find yourself receiving too many unwanted spam calls or texts, you can easily turn it off for all phone numbers or select the specific ones you want to block.
So it sounds like if your aliased phone number has issues, you can block those specific ones. In theory, you can do that now from your phone, for individual numbers, but it isn't applied if you switch devices. So it's a very moderate improvement.
Additionally, your existing phone number is probably already overwhelmingly accessible to robo-callers, i.e. the cat is already out of the bag.
I personally only use prepaid cards so a service that makes them appear like post paid might be useful on its own though.
The fact that you only get one number and you can't change is seems to blunt some of the utility. Ideally you'd want a separate number for each service and to have them all turned off, to block identifying you as the same user of different services. Not quite as easy to do with finite numbers as with email address suffixes.
I wonder if you could use this like 5sim or other shady text verification services by just remaking a monthly account. I suspect that is not the idea here and probably forbidden, otherwise they'd let you change numbers.
With a virtual cc number, I create a new number on demand for each service I need, and disable it after I don’t need it anymore.
With virtual email addresses, I create a virtual address and delete it after I don’t need it anymore.
Unless there is a phone number analog, a single number is only useful until that number is compromised. Which could be day 1.
This is definitely just the first step; we've got lots of ideas for additional protections we could add, and are monitoring usage and feedback [1] to inform our roadmap.
What this first version gives you is a way to add a tier of trust to your phone number: your Relay number for untrustworthy partners, and your true phone number for important things. That means that data leaks of untrustworthy services can no longer be linked to the important ones through your phone number. Additionally, if you receive a phishing call to your Relay number, that's an extra red flag that it might not be who they say it is.
But again, there is more to come, so stay tuned.
[1] See also https://connect.mozilla.org/t5/discussions/firefox-relay-pho...
Yes, and I don't doubt in the least that it may become the third best thing in life after icecream and sliced bread, but right now its usage cases and advantages seem not clear.
Maybe it could be useful to people that lose/get stolen their phone/number, since this mask is "centralized" you change the connected "real" number to a new one only in one place instead of updating several places where the old real number is stored.
>Additionally, if you receive a phishing call to your Relay number, that's an extra red flag that it might not be who they say it is.
I still don't understand.
If I use this relay, giving this mask number to three different organizations for - say - 2FA or emergency recovery or similar, any call or SMS to that number must come from one of the three (untill it is leaked).
Once it is leaked it may still come from any of the three or from someone who is attempting a phishing call, what is the difference against a "main" number or a spare "burner" one?
Now, if you get a phishing attempt that looks like it's from your bank, but it's sent to your Relay number, that should be an additional sign that it's unlikely to actually be from your bank.
For e-mails, a strategy I used and that worked (at a time I had a domain with its own mail server) is to give a "non-existing" e-mail, like specificsite@mydomain.com, the mail server was set to have a "catch-all" account, so specificsite@mydomain.com would arrive (together with messages to anything@mydomain.com, etc.) to this catch-all inbox, while identifying by the address used the "source".
With telephone numbers, a possibility would be to fake a PBX with internal numbers (no idea if it is feasible) i.e. if the relay main number is 123456789, have it working with added "internal" numbers, such as 123456789101, 123456789102, etc.
That's because that's essentially what this is :)
And yes, that's how Relay for email works (although instead of using mydomain.com, you use mozmail.com, so your different email masks can't be linked together).
We'd definitely like to support a similar pattern for phones, but we still have to figure out a way to do that. Using extensions is one thing we'll be looking at (was also suggested at [1]), but a challenge there is that many services have rather strict validation rules on phone numbers that will disallow that. But it might still be worth it, so stay tuned!
[1] https://connect.mozilla.org/t5/discussions/firefox-relay-pho...
If you want to re-co-found with me on marketing / sales, hit me up: maddie+hn[at]qnzl.co. I tried some pivots, sucked at marketing it, I occasionally get asked about where it went.
---
If anyone wants to run their own instance using Twilio, I open-sourced the basic structure of my previous service [1] so it should be fairly plug-and-play to do this cheaper ($1 per number + small usage fee) and for more numbers.
My caveat about this is some services will silently ignore you if you try to use a virtual number. It's more useful for IRL where you don't want to throw your real number around much.
[0]: https://news.ycombinator.com/item?id=18311146
[1]: https://github.com/qnzl/twilio-basic-server
The firefox service is priced well but 75 texts and 50 minutes of voice is fairly limited. The burner phone services that exist are too sketchy and too expensive for my taste.
I don't like marketing or sales but if you could market yourself as a privacy focused, Free/Libre solution that wasn't a sketchy fly by night operation and offered more than a closed source phone app I would subscribe.
Twilio itself seems to be oriented towards businesses and not individuals which is why I did not sign up with them.
Forward your phone number to a different number through gvoice. For email, add a '+' symbol to your email address and filter them out if they get abusive.
It's still trivial to parse your real email address from this. With Relay your real email address is completely obfuscated.
Bummer. Before reading this, I was so excited, since robocalls and sketchy SMS messages with malware payloads have plagued my phone for years, and now it's not available to me (I'm in the EU).
So you pay $4-5 per month and you're still limited? I was expecting there would be some free amount and after that it's paid.
Will this SMS work for account verification?
What these burner numbers are great for are rewards programs. I sign up for every one I can with my GV number!
There was something recently around a game which was able to detect if a user's phone number was on a prepaid or postpaid plan. I had no idea carriers share this information with others.
I doubt it. It looks like they're using twilio under the hood, and those are most definitely detected as VOIP numbers.
It looks like I might be able to do this with Twilio, but I'm not a developer, and quickly got frustrated trying to build what I wanted.
Is there a service that will do this for me at a reasonable price?
(my company resells these with some add-on services on top, but for your use-case you're better off just going to the source directly)
i can't see any option when i log on from the uk.
> Currently, this feature is available in the U.S. and Canada. As we roll out this feature, we will explore how we can expand this offering to outbound calls and texts, as well as to other regions.
(Edited to add:) And I feel your pain - I'm a Relay engineer in the Netherlands, and I can't even use this myself... But unfortunately, it's not easy to offer this elsewhere at a reasonable price, so we're still figuring that out.
https://kozubik.com/items/2famule/
Fastmail referral url: https://ref.fm/u26310488
Privacy.com referral url: https://privacy.com/join/JCPFN
Doesn't feel necessary to me really. I've never ever been in the need for an incoming call, just for sms. And I'd much rather have them sent to an email rather than my actual phone too (and then I wouldn't need to share my phone number with this service either). That would be a real use-case for me. But paying a monthly subscription for that twice a year sms isn't that great either.
I currently have a pre-paid sim and an old phone for this usecase. It kind of sucks and I don't have access to it when I'm not home (sure, there are ways to sync this but haven't felt a big enough need for it yet).
I think there are other options like Fongo and probably a dozen other similar services that already have been doing this for some time. Not really seeing the value proposition of going with the Mozilla option here. Am I missing something?
Will stick with Simplelogin.io, which is included for free with Proton Unlimited.
1: https://github.com/mozilla/fx-private-relay/issues/1639
Your number is your permanent cross-app, cross-company tracking identifier. It is a lookup key for your name, address, income bracket, email, spam history, etc.
This is why so many apps require it during signup.
Why would someone pay for this? Just to stick it to google?
Why do i pay for email? To not use Google. How is "paying for your service" so obscure to you?
The slower they are to realize they need to do all that to stay relevant, the faster Firefox's market share shrinks