[jaclaz]

I don't understand the idea behind it.

Now:

1) You give your real number to someone.

2) Somehow your real number goes into a list used by robo-callers.

3) A robo-call arrives on your real number, disturbing your peace.

After:

0) You give Mozilla 3.99 or 4.99 US$/month

1) You give your Mozilla number to someone.

2) Somehow your Mozilla number goes into a list used by robo-callers.

3) A robo-call arrives on your Mozilla number, that promptly relays it to your real number, disturbing your peace.

You cannot change your Mozilla number, so it is basically an "alias" number, where is the advantage?

Stopping paying so that the number becomes invalid?

But then you won't be reachable anymore by the people you gave that number to.

[nicholasjarnold]

Maybe you use it as part of a multi-layered approach to personal digital privacy.

Without having hired a lawyer to dissect the TOS and Privacy Policy for Mozilla's new service here, I'm going to assume for the sake of argument that they will not sell the data to brokers. If that is true, then it's one more way to try and keep your true PII out of circulation. For instance, maybe you pair this with a high quality VPN offering, browser plugins or whole-network based stuff like pi-hole/etc along with also using aliased credit card numbers through services like Privacy.com or other similar offerings. Then when you "sign up for an account" or "make online purchase" you could use name like John Smith, private/aliased email, etc etc... This just puts distance between your activity and your true identity.

With all that setup you have at least _some_ chance of evading a decent amount of the persistent and invasive tracking that is beginning to be top of mind for many people.

[madamelic]

Service-unique email / username + service-unique credit card is good enough for, I'd estimate, 95% of people.

You are trying to avoid wholesale scoops of info and automated credential stuffing. If your threat model is people specifically seeking out and targeting you: godspeed.

[ridgered4]

Yeah, I'm a little confused on the use case for this. I guess I could put all of the annoying services that demand a phone number for totally-only-security purposes-trust-us into a "bucket" number. It doesn't sound like it is a feature but I'd prefer that calls and texts to that number just be outright ignored unless I've turned the number on temporarily for verification. But since they have started rejecting VOIP numbers for verification, and now even prepaid phone numbers (!) for verification I feel like this probably won't work for that either.

I personally only use prepaid cards so a service that makes them appear like post paid might be useful on its own though.

The fact that you only get one number and you can't change is seems to blunt some of the utility. Ideally you'd want a separate number for each service and to have them all turned off, to block identifying you as the same user of different services. Not quite as easy to do with finite numbers as with email address suffixes.

I wonder if you could use this like 5sim or other shady text verification services by just remaking a monthly account. I suspect that is not the idea here and probably forbidden, otherwise they'd let you change numbers.

[neogodless]

From the article

> If you find yourself receiving too many unwanted spam calls or texts, you can easily turn it off for all phone numbers or select the specific ones you want to block.

So it sounds like if your aliased phone number has issues, you can block those specific ones. In theory, you can do that now from your phone, for individual numbers, but it isn't applied if you switch devices. So it's a very moderate improvement.

Additionally, your existing phone number is probably already overwhelmingly accessible to robo-callers, i.e. the cat is already out of the bag.

[Vinnl]

(Relay engineer here.)

This is definitely just the first step; we've got lots of ideas for additional protections we could add, and are monitoring usage and feedback [1] to inform our roadmap.

What this first version gives you is a way to add a tier of trust to your phone number: your Relay number for untrustworthy partners, and your true phone number for important things. That means that data leaks of untrustworthy services can no longer be linked to the important ones through your phone number. Additionally, if you receive a phishing call to your Relay number, that's an extra red flag that it might not be who they say it is.

But again, there is more to come, so stay tuned.

[1] See also https://connect.mozilla.org/t5/discussions/firefox-relay-pho...

[jaclaz]

>This is definitely just the first step; we've got lots of ideas for additional protections we could add, and are monitoring usage and feedback [1] to inform our roadmap.

Yes, and I don't doubt in the least that it may become the third best thing in life after icecream and sliced bread, but right now its usage cases and advantages seem not clear.

Maybe it could be useful to people that lose/get stolen their phone/number, since this mask is "centralized" you change the connected "real" number to a new one only in one place instead of updating several places where the old real number is stored.

>Additionally, if you receive a phishing call to your Relay number, that's an extra red flag that it might not be who they say it is.

I still don't understand.

If I use this relay, giving this mask number to three different organizations for - say - 2FA or emergency recovery or similar, any call or SMS to that number must come from one of the three (untill it is leaked).

Once it is leaked it may still come from any of the three or from someone who is attempting a phishing call, what is the difference against a "main" number or a spare "burner" one?

[Vinnl]

Like email masks, we recommend using the phone mask for untrusted organisations. In other words, if you need to provide a phone number to get a shopping coupon, use your Relay number. If your bank wants to do 2FA via SMS (please no, but you know how banks are...), provide your true number.

Now, if you get a phishing attempt that looks like it's from your bank, but it's sent to your Relay number, that should be an additional sign that it's unlikely to actually be from your bank.

[jaclaz]

Still, I see no differences with a second number/burner phone.

For e-mails, a strategy I used and that worked (at a time I had a domain with its own mail server) is to give a "non-existing" e-mail, like specificsite@mydomain.com, the mail server was set to have a "catch-all" account, so specificsite@mydomain.com would arrive (together with messages to anything@mydomain.com, etc.) to this catch-all inbox, while identifying by the address used the "source".

With telephone numbers, a possibility would be to fake a PBX with internal numbers (no idea if it is feasible) i.e. if the relay main number is 123456789, have it working with added "internal" numbers, such as 123456789101, 123456789102, etc.

[Vinnl]

> Still, I see no differences with a second number/burner phone.

That's because that's essentially what this is :)

And yes, that's how Relay for email works (although instead of using mydomain.com, you use mozmail.com, so your different email masks can't be linked together).

We'd definitely like to support a similar pattern for phones, but we still have to figure out a way to do that. Using extensions is one thing we'll be looking at (was also suggested at [1]), but a challenge there is that many services have rather strict validation rules on phone numbers that will disallow that. But it might still be worth it, so stay tuned!

[1] https://connect.mozilla.org/t5/discussions/firefox-relay-pho...

[stuckonempty]

What are the benefits of Firefox phone relay then versus a free google voice number I use just for spam (“untrustworthy partners”)?

[Vinnl]

I'm not terribly familiar with Google Voice (it also isn't available in my country...), but they look similar in terms of functionality at this point in time. For me personally, the primary reasons to go with Relay would be that I'm already trying to move away from Google as much as possible for privacy reasons, that I'm already using Relay for email masking, and that Relay is explicitly focused on the privacy use case and will keep evolving in that direction.

[stuckonempty]

I can relate to the privacy-focused goal of getting away from google however Google Voice is free. Sadly I think having a competing free Google product that accomplishes most of the same things is going to hurt adoption of the Firefox relay product (which is paid)

[smileysteve]

I effectively did this with Google Voice back when.

I would give marketers my Google voice number, it had better interface (and on cloud instead on device) contact management. I could send non favorites to a voice identification prompt (voiding all slow recordings or agents making multi calls that have a pickup delay) and for the final small percentage voice transcripts that I could determine if important.

Or for craigslist, I could forward calls to a phone for a short period of time, then turn off forwarding.

[UncleEntity]

I still use google voice like that, give it out when I absolutely have to give a phone number (because they verify by text or whatever) but have the app set to silent.

Google does a really good job of filtering out the telemarketing calls so the rare message is usually valid.

Pretty much the only time I have to open the app is this one stupid company (coughWalmartcough) which insists on doing 2FA via text every single time I want to check the balance on my prepaid debit card.

[barbariangrunge]

I think the idea is to give your real email and phone number to real friends and family; then you use the relayed one with online services who might sell or lose the data. Then you could presumably ditch the related info after the spam gets to be too much? Or maybe you just do it to be more anonymous?

It’s like the concept of a “burner phone” I think

[barbazoo]

That's what I thought too but then I read about what is actually offered:

> You only get one phone number mask at this time. Once you choose your phone number mask, you cannot change it later.

That makes it impossible to use as a "burner" number.

[jaclaz]

But - originally - you give a number (be it real or Mozilla or "burner") in order to be contacted by someone (and then somehow it was leaked to the robocallers).

The moment you change or abandon the number (be it Mozilla or "burner") that someone won't be able to contact you anymore.

But if you keep it, with the burner at least that someone will still be able to call you at the end of the month (when the the robocallers will have already eaten the 50 minutes allowed by Mozilla).

[im3w1l]

It would kind of make sense if you could "open" the relay when you need to 2fa, and then you close it again after. With this usepattern you would only need one alias, that would be closed 99.9% of the time.

[mtlmtlmtlmtl]

But if you can use a unique number per service, you now know which company is selling your PII and you could address that either by switching to a competitor or, depending on the legal specifics, sue/expose them.

[jaclaz]

From what I understand it is not "unlimited" numbers, just one, as said an "alias".

[mtlmtlmtlmtl]

That's a shame, it wasn't entirely clear from the article but I assumed it must be multiple numbers since it didn't seem to me like it would be all that useful otherwise.

[ridgered4]

Unfortunately this only gives you a single unchangeable mask number.

[pigeons]

So like google voice with less features?

[zikduruqe]

textnow.com is free and what I have been using for years.

[ranguna]

To save some people a click, it's US only

[lalopalota]

If you get a spam call / text, you can block that number from calling / texting you again.

I can already do that on my phone, and it is kind of useless due to caller-id spoofing that most robocallers use.

Also, probably wont work for services that require a phone number but don't accept VOIP numbers.

I wish the article addressed these issues.

[jaclaz]

>If you get a spam call / text, you can block that number from calling / texting you again.

>I can already do that on my phone, and it is kind of useless due to caller-id spoofing that most robocallers use.

Yes, I cannot see in which way this "black-listing" on Mozilla is different/better.

[Zak]

> Also, probably wont work for services that require a phone number but don't accept VOIP numbers.

I'm running into an increasing number of these, and it's annoying because I use Google Voice as my primary phone number. Using VOIP is important for me because I travel frequently between the US and EU.

Aside from being inconvenient for me, I take blocking VOIP as a red flag that the service might want to misuse my phone number.

[balderdash]

Totally agree, this should be a telephone version of a spam folder. I have a legacy google voice plan that I use for this, but would be happy to pay a couple bucks a month to Mozilla for a comparable service.

[janalsncm]

That was my thought. Unless I can create multiple numbers and disable them at will, this is quite flawed.

With a virtual cc number, I create a new number on demand for each service I need, and disable it after I don’t need it anymore.

With virtual email addresses, I create a virtual address and delete it after I don’t need it anymore.

Unless there is a phone number analog, a single number is only useful until that number is compromised. Which could be day 1.