This is a specific example of what should be a much more general practice: having separate protocols for establishing an initial contact and establishing a communications session with an already existing contact. My email spam filter is based on this. It does a first-stage separation between email from people I've corresponded with in the past and everything else. That simple heuristic is enough to achieve >99% accuracy all by itself.
Stepping back a bit, I find it kind of strange that knowledge of a 7-digit number is all that's required for anyone in the world to (by default) immediately interrupt someone.
Here's a thought. If the concept of a phone was never invented, and nobody knew what one was, and then suddenly here in 2024, an app company invented an app where:
- The user could type in a N digit number and hit a button...
- This would cause another user's device to instantly stop doing what it was doing. ring and buzz with a modal popup window...
- With no authentication whatsoever or often even no identification...
- And then if that other user pushed a button, it allowed the initial user to be able to instantly start sending them voice
This thing would never make it past any app store's guidelines, and would likely be unacceptable to users. It's intrusive, invasive, and practically invites abuse and spam. Yet, since The Phone is an actual historic invention that goes back decades, it's culturally acceptable for I guess legacy reasons.
In the prehistoric era (and continuing into the present day), all that's required to interrupt someone is a set of vocal chords you can use to talk to them, or a finger you can use to tap them on the shoulder, or a fist you can use to knock on their door. The universe isn't naturally shaped in a way that makes interrupting difficult, and never has been.
I'm pretty sure that if the phone system didn't exist, no one from a call center in South Asia would have ever come all the way to rural Canada to try to tell me I have a computer virus that they can fix for a few hundred dollars.
What common physical space keeps people from interrupting you?
- I had my own room as a kid. My parents and brother banged on the door whenever they pleased.
- I worked at a tech company, had my own desk, and wore headphones. Coworkers still sent me Slack messages and tapped me on my shoulder.
- I've lived in a home in the burbs. People came to my home and rang the bell.
None of them were hard for the interruptor to do, and all of them happened frequently. In fact, I would argue that they are more frequent than the number of phone calls I get nowadays, which are actually easy much easier to screen/ignore than any of the above interruptions.
I think their point is in physical space, dozens to maybe thousands of people (if there's a lot of people around you, I guess?) can easily interrupt you at any given moment. With phones and things like Slack, hypothetically anyone near a phone can interrupt you if you're near your phone. Which people usually keep near them.
I would say depending on how bad someone has it they could get 1 to 3 spam calls a day, I assume if someone was getting consistently more than that they'd use a screener to lower it. That's a significant amount.
In all of the places named above, people have interrupted me more than once a day, and I don't think that's abnormal. And again, it's much easier and less rude to put my phone on silent for unknown numbers, than it is to ignore a coworker/friend/neighbor/partner/child who's trying to get my attention, or even a stranger at my door.
I'm not here defending spam calls. They are annoying AF.
Nor do I disagree that hypothetically more people on Earth have access to us than ever before. Of course they do.
Nor do I find being interrupted pleasant. I personally find it very annoying, even when it's a loved one.
I'm just making the point that this idea of world where people weren't easy to interrupt never existed.
All of the same people who could interrupt you before still can, in all the same ways. In addition, people can call you and interrupt you that way, too.
I am not saying people couldn’t interrupt before, there are simply more ways for more people to interrupt you than ever before.
On the contrary, due to devices like phones and the internet, I have a smaller number of interruptive people in my immediate vicinity than I probably would have decades or centuries ago. Friends and loved ones feel more comfortable moving away, it's become more of a norm, bc it's easier than ever to keep in touch over long distances, and so they don't knock on my door, because they don't even live in my city. And on the flip side, I find myself surrounded by lots of strangers who don't know me, and so don't knock on my door or stop me on the street either.
I'm trying to change this, however, and make a lot more local friends. Despite the higher potential for being interrupted.
so I always thought that but weirdly a bunch of countries are just on the US exchange system. It's still billed as an international call but for example Bermuda is just 441. The American in me chuckles a bit at the idea of the UK's monarchs needing to dial 1 first to call their own territory
Though according to The Crown, they are constantly jabbering on the phone. After some designated member of staff dials it with a dialing glove, no doubt.
I navel-gaze that if we redesigned communications from the ground up we could handle this better. When you greet someone physically you can add each other as known trusted contacts immediately. And when you sign up to some service online and have to put in your contact info, which likewise prompts you to add them as contact. And you can't share along a contact you know to someone else without that contact ID uniquely identifying you.
That way, everyone who should contact you can do so and if someone else gets their hand on your contact info you can figure out who leaked it.
I do this with my email. I have a bunch of different emails under my own domain, and I use info+uniqueidentifier@domain.org for registrations which do not warrant their own actual email handle.
This way, I can easily filter incoming email, and I can see where an email came from if any party sells my data.
This also works with GMail by the way, you can use youraccount+anyrandomstring@gmail.com and emails will still be delivered to you.
I use a separate email handle that I only hand out to actual human beings, never to companies and never use for account registrations.
This has worked really well for the past 15 years or so.
iCloud’s Hide My Email is perfect for this. No “+” convention, it just generates a random @icloud.com email address specifically for whatever website/app you’re signing up for, and forwards it to your real email. The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.
I never worry about sites that require signups any more, I just autogenerate an email for them and use a fake name. I couldn’t give a shit less if they get hacked or leak data, because the email and password are randomly generated. If they turn out to spam me I just disable that email address and never hear from them again.
The only people who have my “real” email addresses are people I know personally.
> The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.
That's not remotely true.
The very very very vast majority of actual iCloud email addresses are going to have "dictionary" names. It's quite trivial to detect a randomized address (and at that point, you probably don't even care about a couple of false positives).
Multiple instances of letter-number-letter-number ("b2y4r")? Coupled with letter combinations that don't exist in most languages ("ytbn")? And no dictionary words ("john", "smith", "booklover")? Random address.
Now, whether you care to do business with someone who detects this is a different question altogether.
The auto-generated addresses also have dictionary names. They’re explicitly designed to look like addresses that a real person might come up with… typically a dictionary word, followed by some numbers and symbols. Just like other email addresses on popular services where all the good names are taken.
You’re thinking about something else. There’s a thing called “Sign In With Apple” that is available when an app/website wants to offer it, that integrates with Apple’s authentication system. The email the app/website sees is a bunch of random characters followed by @privaterelay.appleid.com. But Sign In With Apple is not the same as Hide My Email. SIWA is for when the website opts into Apple as an auth provider.
I just looked at my alias list in iCloud and every single “hide my email” alias looks like a plausible @icloud.com address with dictionary words, and every “sign in with Apple” address is using the privaterelay address with the super random characters. There are no addresses that look like a987dfc429be@icloud.com.
I heard about the +, but don't some sites reject it? Or can't bad actors just strip it? You'd need your own domain with a large amount of unique identifiers for it to work if it became popular.
I find it quite rare for systems to reject the + these days. One notable exception is my credit union, whose Web 1.0 system turned it into a space. The most annoying thing about this practice is if you're telling it to a human, they are very confused about your email address having their company's name in it. I occasionally get "do you work here or something?" Every once in a while I'm talking to someone (example: elementary school secretary) who gives me a vibe that they're going to be really thrown off by this and I just make up a three letter unique code for a suffix since I can still search for whoever sent me that first to see what the suffix means.
On the stripping of the + and suffix, yeah, bad actors who recognize your scheme can do that, but spamming is about quantity, not quality, so they just aren't going to put in the effort.
Spamming is about quantity but stripping a "+" is something a one line script can do, which is what will happen if this gets popular. A real solution should be more resilient. Like spam binning anything that does not use the "+" ?
Well, I've always thought it would be fairly easy to strip, but I've now been doing it for 25 years and it's obvious the spammers aren't going to go to even that small effort. I once heard the CEO of wordpress say that it would be easy for them to go after adblockers too, but they explicitly didn't because the userbase that went to the trouble of installing adblockers didn't tend to be a lucrative advertising demographic anyway. It's all about return on your investment.
unfortunately, i disagree; i stopped using plus sign addressing because so many sites i wanted to use it on (many of them for important things like medical stuff) wouldn't accept it
I still miss qmail's convention, which used a - instead. That worked flawlessly everywhere, circa early 2000s.
(I still have some email handling rules for my domain that understand the - aliases I created.)
I think that both conventions are flawed, as adversaries that know the convention can just remove the distinguishing part. If someone signs up with the email address real+spam@example.com, then they're just going to spam real@example.com. Apple's thing where it creates a987dfc429be@icloud.com is much better. Maybe that's the username I selected. Maybe it's an anti-spam forwarding address. There is no way of knowing. (Actually, I think it does something like relay.icloud.com? So yeah, they know it's not your real address. Apple just says "if you reject this, you can't have an iPhone app", which is what makes it work.)
Following my navel gazing idea, the trick is that mail to real@example.com just gets spam binned automatically. Anyone who has any business emailing your should have an real+randomuniqueid@example.com email address to send to you. It's almost like the randomuniqueid is a password to your inbox.
Unfortunately, this is only for email no such thing for phones or anything.
A certain tongue-in-cheek email provider [0] uses . (a dot) for this purpose, i.e. username.anything@domain.tld. Spammers could remove the distinguishing part here too, but they can't be bothered to keep a list of all the conventions used by different providers, so I think it should work pretty well.
(Personally I use a dedicated catch-all domain now, and the username is the distinguishing part – try to remove that!)
Not all mail servers treat a+b@a.com and a@a.com as the same email.
By equal token, you can't be sure that the email address doesn't actually just contain a plus sign.
I was disappointed to find out at work recently that the plus convention was not configured. It made testing account signups more difficult. This is when I dug in a bit and found it that it depends in the mail server for whether those are unique addresses or not.
> Apple's thing where it creates a987dfc429be@icloud.com
Still trivial to detect. Random letter/number combinations, letter combinations that don't exist in the dictionary, no dictionary word? Pretty detectable.
Apple has this as a service now. It's more automatic than the GMail process and works well.
A weakness with the GMail process is that spammers are able to remove the + part (even if most don't), and your credentials or identity can be aligned across leaked credential databases by removing the + part.
If they were really smart, they'd parse and use that info to their advantage. Have info+autozone@domain.com? Send company-specific phishing emails to +apple, +wellsfargo, +$POPULAR_COMPANY every other week
I've though a little bit about what a good successor to email would look like, and in addition to things like native support for encryption and authentication, one of the big features I wanted was to put not allow sending a message unless the recipient had added you to their list of contacts. And maybe have a way to to send a request that someone add you to their contacts, that would be processed differently than a normal message.
