[0daystock]

Google is no saint, but there's absolutely no reason to ascribe ill intent to collecting phone numbers of 2FA setup. The reason is simple: Google has billions of users, and at any given time, a lot of them break their devices and lose access to 2FA credentials. Phone numbers, despite all their flaws, are still the most reliable long-term and mostly-immutable attributes which can service as a proxy for identity which can and does aid account recovery at scale. If you crack your phone screen, you can walk to a brick and mortar cell shop, present your ID and get a new phone that receives security codes without a second thought. If you're using Aegis and storing MFA seeds locally, you're on the hook for backups and no one wants that responsibility.

Think of it like using social security numbers to authenticate yourself to the bank. Yes, it's terrible, but it's kind of the only thing that works when done on a massive scale. Yes, you can do better at managing your 2FA credentials, but most users cannot - they struggle even having strong passwords. Phone numbers bridge that security-usability gap. To be clear, this isn't an endorsement of the system (I think the user should be allowed to choose), but rather trying to make sense from an engineering perspective.

[throw10920]

This is an explanation for why Google might ask for phone numbers. This is not an explanation for why Google might require phone numbers.

The only valid reasons for the latter are (1) to collect your PII and/or (2) because they think that they know better than you and they're going to force you to do a thing because they think it's in your best interests - in other words, a tyrant ruling over a techno-feudalistic society.

If Google was really concerned only for the safety of their users, and not trying to obtain PII for their personal use, they would build an opt-out button, something that would allow users to print out a one-time-use password/encryption key, or register an alternate email address, in lieu of providing a phone number. They don't.

Your explanation doesn't hold water.

[nomel]

Why might Google require it?

It adds an external cost to creating an account. I imagine this is incredibly valuable in fighting spam across all of their services. No coincidence, the phone number requirement is the only reason I don't have several disposable twitter, Facebook, and Google accounts.

[cheriot]

> a tyrant ruling over a techno-feudalistic society

It's an email app. There are many other options.

[throw10920]

Google is, uh, not just email.

https://about.google/products/

[cheriot]

The topic of the post was email. Even expanding to every other product, which ones are you forced to use? Just pick another one.

Calling this feudalism is a bit much.

[nicce]

Email was just an example. Topic is about account.

[commonalitydev]

If I understood his post and overall point correctly, he doesn’t think that it’s that second possibility — that Google is a benevolent tyrant, essentially — but that that’s the only other explanation, which is bad.

(I agree that the language he used was a bit much, but I think he was using exaggeration as a legitimate literary device to make his point, not in an attempt to actually mischaracterize that scenario.)

He think it’s the first possibility — that Google is doing it for reasons other than the users’ best interests (i.e. “nefarious purposes”) — which is even worse.

[natch]

There’s nothing that says they absolutely must do things at a scale that leads to ethical compromises. Oh, other than greed, that is.

[fweimer]

Google asks for a phone number in this context even for accounts which are integrated with an external identity provider and for which Google does not need to (or rather: must not) provide a recovery option. Furthermore, in most countries, phone numbers (especially mobile phone numbers, as suggested by Google) are very susceptible to targeted attacks, so I hope that Google does not use them as a recovery option even for non-corporate accounts.

I think it's some sort of state machine glitch that this account feature only becomes available after adding a phone number. I couldn't come up with any other explanation. And I really hope that the static passwords stay indefinitely because the XOAUTH extension for IMAP is brittle, hostile to open-source software because of the API key requirement, and does not add security anyway. (I wouldn't mind manually rotating the passwords once per quarter, though.)

[kevin_thibedeau]

Then what happens when you change phone numbers and don't bother registering it with Google? There is a real risk of you becoming a non-person by linking things that shouldn't ever be linked.

[jjav]

> Phone numbers, despite all their flaws, are still the most reliable long-term

How so? The most realiable one is email, as it doesn't need to be tied to any third party so it can exist a lifetime.

I've had the same email since the mid 90s. I've had probably a dozen or more phone numbers in that timeframe. A handful of which are still tied to various company accounts even though I've long since haven't had any acces to those phone numbers.

[blitzar]

I've had the same phone number since the mid 90s. I've had probably a dozen or more email addresses in that timeframe. A handful of which are still tied to various company accounts even though I've long since haven't had any acces to those email accounts.