Because SMS verification is so cheap (under a dollar per one-time validation, under $10/mo for ongoing validation), this approach really only makes sense for ultra-low-value services, where e.g. $0.50 per account costs more than the service itself is worth.

Because of this low value dynamic, there are many techniques that can be used to add "cost" to abusive users while being much less infringing upon user privacy: rate limiting, behavioral analysis, proof-of-work systems, IP restrictions, etc.

Using privacy-invasive methods to solve problems that could be easily addressed through simple privacy-respecting technical controls suggests unstated ulterior motives around data collection.

If your service is worth less than $0.50 per account, why are you collecting such invasive data for something so trivial?

If your service is worth more than $0.50 per account, SMS verification won't stop motivated abusers, so you're using the wrong tool.

If Reddit, Wikipedia, and early Twitter could handle abuse without phone numbers, why can't you?

▲

derekdahmer 2 days ago | parent [-]

Firstly, I can tell you phone number verification made a very meaningful impact. The cost of abuse can be quite high for services with high marginal costs like AI.

Second, all those alternatives you described are also not great for user privacy either. One way or another you have to try to associate requests with an individual entity. Each has its own limitations and downsides, so typically multiple methods are used for different scenarios with the hope that all together its enough of a deterrence.

Having to do abuse prevention is not great for UX and hurts legitimate conversion, I promise you most companies only do it when they reach a point where abuse has become a real problem and sometimes well after.

	▲	anonym29 2 days ago \| parent [-]
		>Firstly, I can tell you phone number verification made a very meaningful impact. The cost of abuse can be quite high for services with high marginal costs like AI. Nobody has made the argument that it's not a deterrent at all. The core argument is that it's privacy-infringing when it doesn't need to be, and the cost posed to attackers is extremely low. If your business is offering a service at a price below your business' own costs, the business itself is choosing to inflict cost asymmetry upon itself. >Second, all those alternatives you described are also not great for user privacy either. This is plainly and obviously false at face value. How would blocklisting datacenter IP's, or doing IP-based rate limiting, or a PoW challenge like Anubis be "also not great" for user privacy, particularly when compared to divulging a phone number? Phone numbers are linked to far more commercially available PII than an IP address by itself is, and PoW challenges don't even require you to log IP addresses. Behavioral analysis like blocking more than N sign-ups per minute from IP address X, or blocking headless UA's like curl, or even blocking registrations using email addresses from known temp-mail providers is nowhere remotely close to being as privacy-infringing as requiring phone numbers is. The privacy difference between your stated practice and my proposed alternatives isn't a difference of degree; it's a fundamental difference of kind. Being generous, this is lazy, corner-cutting engineering that seeks to impose an unknown amount of privacy risk from the perspective of end users by piggybacking off an existing channel that only good-faith users won't forge (phone number), at the possible expense of good-faith users' privacy, rather than implementing a better control. Of course, there's no reason to be generous to for-profit corporations - the much more plausible explanation is that your business is data mining your own customers via this PII-linked registration requirement through a coercive ToS that refuses service unless customers provide this information, which is both entirely unnecessary for legitimate users and entirely insufficient to block even a slightly motivated abusive user. ...not that you'd ever admit to that practice if you were aware of it happening, or would even necessarily be aware of it happening if you were not a director or officer of the business.