Sourceforge requires a phone number for registering a project
Hi,
A few days ago, I wanted to register a new project on Sourceforge and they asked for my phone number to allow me registering a new project. I didn't give them my phone number and deactivated my account.
https://sourceforge.net/p/forge/documentation/Create%20a%20New%20Project/:
"Key points about phone-based verification:
Our phone-based verification is performed using a reputable third-party provider (Nexmo).
We store a one-way hashed (SHA1) copy of phone numbers in our database, allowing us to identify repeat offenders using multiple accounts.
We do not store clear phone numbers in our database — numbers are used for verification only at time of first project registration.
Nexmo maintains transaction logs containing phone numbers, available to us for diagnosis of PIN code delivery problems.
Verification PIN codes are transmitted by SMS or voice and are good for five minutes.** "
This is the correct link:
https://sourceforge.net/p/forge/documentation/Create%20a%20New%20Project/
They store the SHA1 of the phone number for a legitimate reason-- I fail to see a privacy issue.
At least they aren't doing what most companies do, I.E. store/sell phone-numbers.
name at domain, Mar 26 Abr 2016 13:27:36 CEST:
> They store the SHA1 of the phone number-- I fail to see a privacy issue.
Storing the hash of a phone number is practically the same as
storing the phone number. From your IP address they can tell what
your area is, and checking the hash of all phone numbers in your area
against the hash of your phone number can be a matter of minutes.
There is a voracius appetite for personal data in general and
for telephone numbers in particular. We see it everywhere.
I was forced to create a Microsoft account in order to register
for a security seminar once, and I keep it just in case I need it
again. Guess what? Whenever you are in a computer other than your
usual one, Microsoft notices it and requires you to "confirm" it - and
by confirm it, it means to enter a phone number. That means that
whenever you don't have access to your usual computer, i.e. by being
out of town, you are forced to give your phone number or else you are
not allowed to check your e-mail.
Yahoo! Mail is currently trying to do the same and get my phone
number, prompting me to give it, but so far there's still a way to
avoid it - a button unpolitely labelled "Later" or something similar,
as if I were promising to do it later on, which I am not doing.
------------------------------------------------------------------------
Ignacio Agulló · name at domain
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
True, but it didn't say they record IP addresses.
And even so, that's a rather cumbersome method of finding someone's phone number. That method would be more noticeable-- rogue workers snooping would have a harder time not getting caught-- and also doesn't work for people carrying phone numbers from where they used to live. (AKA, people with wrong area codes)
Having the SHA1 isn't the same as having the actual number, in practice.
name at domain, Mér 27 Abr 2016 01:15:32 CEST:
> True, but it didn't say they record IP addresses.
IP addresses are routinely logged by the system. This is not
only usual, but also mandatory in most countries - so in case there's
a criminal investigation going on, the connection can be traced to its
source.
> And even so, that's a rather cumbersome method of finding someone's
> phone number.
Yep, you're right. Know what is a less cumbersome method?
Having already calculated a hash table for all possible telephone
numbers. Taking into account the low cost of terabytes today, the
storage cost would be cheap. That way any hashed phone number can be
instantly matched to its plain number.
"We don't store your phone number, only its hash" it's just
lawyerspeak for "Yes, we definitely store your phone number". What
else would they need the hashed number for?
------------------------------------------------------------------------
Ignacio Agulló · name at domain
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
name at domain, Mar 26 Abr 2016 14:15:00 CEST:
> See https://www.gnu.org/software/repo-criteria-evaluation.html
Unrelated answer.
------------------------------------------------------------------------
Ignacio Agulló · name at domain
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
It is related: the linked page explains why SourceForge is ethically terrible (SalmanMohammadi raises yet another problem with it) and suggests better solution to host a software project (what SalmanMohammadi wants).
Indeed... Magic Banana is right, I recommend you to check that link and choose the sevice that offers you freedom and more privacy.