What the title says. I’m trying to discern if using a number acquired and served through JMP for phone and text, versus a mobile carrier, provides a better data security and privacy experience.
On the one hand I wouldn’t be subject to the almost yearly data breaches that a number of the carriers experience, nor their potential snooping. However on the other, I’m not sure if using JMP and Cheogram actually provides any increase in privacy or security on that front?
Like anything, it depends on what you’re trying to accomplish, but in general yes.
You will still have a carrier phone number, but you don’t need to give identifying info when signing up, and you don’t need to use it. This prevents people from tracking you or Sim swapping. If you grt multiple numbers it also allows you to call anonymously or not worry so much about how much you give a number out because you can just turn it off. You’re more protected from data breaches. Jmp specifically isn’t KYC last I checked, but the phone number you actually use is going to be pretty public. You may also save money despite paying for Jmp, because of new customer deals from the carrier: you do not care if you have the same Sim number.
However, no VoIP number uses RCS. SMS is very insecure and lacks features. Jmp uses XMPP, but that only works when both parties are using it, meaning probably never. You could convince some people maybe but texting, even XMPP, is for people that won’t move to Signal or another actually secure messaging app.
If you have most people on more secure/private/featured platforms, VoIP and SMS is a good choice. If you are going to use text extensively and can’t get people on other platforms, you may consider sticking with Google Messages & RCS.
Right now I use VoIP but I’m having a medium amount of issues moving people over to Signal and missing some of the features, so I’m mixed on it. If RCS ever becomes more universal (and if Graphene gets better support for it) that would decide it for me.
XMPP works through gateways, so any SMP or PBX Voice call is routed through the standard network, so is not secure. VOIP and the XMPP chat features, however, can be secure and private. The encryption exists and you can host your own servers, which covers both of the privacy concerns.
It depends on what your threat model is. For example, do you want to mitigate the ability to easily link accounts and other information to you based on a single phone number? If so, then this will help with that assuming you (at least temporarily) use multiple numbers through JMP. On the other hand, if you want your communication to be private then there are better alternatives.
Ultimately, this is similar to using a privacy respecting email provider over gmail. Unless you take some additional precautions, your communications have a similar security/privacy exposure. It can be an improvement (assuming you trust JMP), but it is not the best means of communication in terms of privacy.
assuming you trust JMP
Any 3rd party security audit that would help on this specifically?
How not? Cheogram is using xmpp, no? Just using jmp as a 3rd party service to give you a number. Right?
I’m hosting my own xmpp server to have better control over my data, ensuring the in-app texting is secure. Of course over a mobile number of a text recipient, they’re still vulnerable to normal carrier bs and therefore so would my messages be exposed. But I think cutting back shows and potential to block the spam calls
That’s correct, but the XMPP portion of this communication chain is just your device to the JMP service. Any messages sent or received to another phone number are delivered via SMS/MMS. As a result, those messages can be read by unrelated 3rd parties. I assume something similar is possible for voice calls as well (or at the very least the call start/stop times and the other number on the call can be determined).
Essentially this just shifts trust from a mobile phone carrier to JMP. However, I understand that it may be more challenging to hack a VOIP number than perform a SIM swap attack. Another benefit of JMP for privacy is the more challenging tracking of location for a JMP phone number.
I’m not saying that using JMP is bad. I am saying if you need a secure and private way of messaging someone then this is not the best solution.
I think if anything the appeal to me is to be able to jump ship on a number anytime I feel it’s too compromised, with minimal registration requirements-- I.E. personal information. For any communications that are more sensitive, I typically use encrypted mediums.
