Let's decouple our ability to call and text from the need to carry a mobile phone. You can port your phone number to a VoIP + SMS provider, then access its services using platform-agnostic protocols and client software that you can run on any computer or network connection in the world, including a mobile phone when you choose. The goal is to maintain your access to the PSTN + SMS networks, and your existing identity (phone number) on those networks, regardless of which device you're using, without having to run proprietary software.
In 2016 we have many ways to communicate that are both strongly encrypted and easy to use. Still, much of the world still talks on the phone and texts via SMS. These networks are badly compromised by mass surveillance. Worse, most people's access to these networks is tied to a particular mobile phone. Cell phones are packed with sensors and software that surveill users and their associates at all times, often without the knowledge or consent of these parties. With effort, most of the smartphone-centric privacy issues can mitigated, at least with Android OS 1. Still, the following two intrusions cannot be mitigated in a practical way.
1. Network-Based Location Tracking
If you carry any cell phone (it doesn't need to be a smartphone), the carrier tracks your physical location using tower-based trilateration. This doesn't require GPS, and it occurs even if you disable the various location services on your smartphone. It is necessary for the health of the network, so that your data connection can be efficiently handed off between towers as you move about. It is also very convenient for an actor who wants to know where everyone is (1 and 2), all of the time (3), and who they meet/travel with. (The NSA wants you to believe they're not trying to collect this information inside the USA. Evaluating that agency's track record of honesty is an exercise left to the reader.) Also, the US government uses tower-based positioning to assassinate suspected terrorists with flying robots in the middle east. If you believe the anonymous purported drone operator:
"People get hung up that there’s a targeted list of people," he says. "It’s really like we’re targeting a cell phone. We’re not going after people – we’re going after their phones, in the hopes that the person on the other end of that missile is the bad guy."
2. Baseband Processor
The baseband processor (BP) is a second computer inside your mobile phone, separate from the application processor (AP) that runs Android or iOS. Its primary function is to control the radios that communicate with mobile networks. It also has direct access to hardware sensors, and some BPs control their own power state independently from the AP.
The baseband processor's proprietary operating system is difficult to inspect, but those who have tried find a poor security model and easily-exploited vulnerabilities (1, 2). It is rumored that sophisticated actors already use BPs to remotely exfiltrate data from targeted phones and listen to their users' activities. Without better visibility into how modern baseband processors function, it is difficult to make informed decisions regarding their privacy/security risk if you are concerned about such things.
Maybe you don't see a reason to stop using your mobile phone now, but you want to retain the option in the future -- when surveillance technologies are deployed in more pernicious ways against larger groups of people, or under unspecified future political conditions. Maybe you only want to use your phone some of the time, based on your assessment of the convenience and risk in various situations. We need this flexibility to change our minds, without losing the ability to reach others (and be reached) on the phone and via SMS.
We need a service that lets us call and SMS from any device on the internet (including a mobile phone, when we choose). Many commercial VoIP services claim to deliver this, but few meet the following requirements.
- Send and receive both phone calls and SMS messages
- Using non-proprietary client software that speaks standard VoIP (SIP/RTP) and text (HTTP/email) protocols
- Using any computer, including a smartphone (receive an incoming call/SMS on any device)
- Port in a US-based mobile number
- Bonus: service exposes an API so I can build my own software around it
"But wait", you say, "SIP and RTP are not encrypted protocols! Someone could intercept your packets and listen to your calls!" You are right, but remember that we're connecting to the PSTN, an even weaker link where someone is almost certainly intercepting your traffic with the ability to listen to your calls -- here is a good explanation. I'm not trying to secure my communication over these untrusted networks (there are much better options), just find a platform-agnostic way to access them. (If you're nervous about using VoIP on public Wi-Fi hotspots, you can tunnel your VoIP traffic through a VPN at the penalty of some additional latency.)
Also, I'm already running a CardDAV server to store and synchronize my contacts, so the solution doesn't need to do that.
I considered but passed on these services:
- Google Voice (requires proprietary VoIP client)
- RingCentral (previous negative first-hand experience)
- Twilio (promising but doesn't let you receive incoming calls)
I eventually chose voip.ms, which satisfied all my design goals. The first thing I noticed about voip.ms was their excellent wiki! I also noticed they are running Asterisk under the hood. voip.ms provides advanced call flow configurations without marketing it as a "Cloud PBX" and charging a premium. This means that (among many other things) you can create a subaccount (extension) for each of your devices, add them to a ring group, and forward incoming calls to all devices in the group simultaneously.
The solution I configured with voip.ms isn't perfect, but it's not bad!
Calling on voip.ms
Using VoIP Only
VoIP gives you lots of flexibility: nearly any general-purpose computer can make and receive calls using a softphone application. These also exist for all the major smartphone OSes, so you can use your smartphone with a VoIP service. (You can also use a dedicated VoIP device, but I'm not going to bother.)
If you have a smartphone running Android 5 or later, try the built-in Android SIP client. It is nicely integrated with the native Phone/Dialer application. On my computer running Debian GNU+Linux, I chose Linphone.
Your computer is probably behind a firewall; in order to complete SIP registration and receive incoming calls, your softphone needs to know how to traverse NAT. On Linphone, this was as easy as selecting "Behind NAT / Firewall" in the network settings, and specifying any public STUN server (I chose stun.iptel.org).
The voice quality with VoIP can be very good, but it depends on the quality of:
- Your internet connection
- Your audio setup (speaker/headset/mic), combined with
- Your client's echo cancellation
If you are not using echo cancellation, then you need good audio isolation between your headset/speaker and microphone. My sister reported a horrible echo when I called her using my built-in laptop speakers + mic, which went away after connecting a Bluetooth headset. Calls that I placed using the Android SIP client on a smartphone were also fine.
My test calls were excellent with a good internet connection (home wi-fi or Verizon 4G), but I had unusably severe audio latency (like, 5-10+ seconds) on AT&T's HSPA+ network. (I also tried the proprietary ZoIPer Android app, and this had the same problem - likely something with the network.)
VoIP Forwarding to Mobile Phone
If you want to travel with your smartphone but don't have good results with VoIP on its mobile data connection, there is another strategy: you can continue to use your mobile phone directly on the mobile voice network. In order to receive incoming calls from a number you've ported to a VoIP service, you'll need to re-activate your mobile phone with a new number, then add that number as a forwarding destination in your ring group, right alongside the account/subaccount for your VoIP-enabled computer.
There is one problem with this arrangement. When you place outgoing calls from your mobile phone, your caller ID will display as a new number, not the ported number that people already know you by. There are three different ways around this:
- Block outgoing caller ID from your cell phone; people will see your calls coming from 'private number'.
- Tell people that sometimes you'll call them from a different number, but they should continue to call you on your original number.
- Order an additional number in voip.ms (they are called DIDs) and attach a DISA to it, configuring the DISA to use your externally known number as its outgoing caller ID. When you want to call people from your cell phone, you "island-hop" through voip.ms, calling into the DISA and then placing your outgoing call from there.
SMS on voip.ms
First, I should mention one overall drawback: voip.ms has no MMS support. I don't mind this because group MMSes / "mass texts" are annoying (no way to unsubscribe). I'll just tell people to send cat pictures via email instead.
Anyhow, I found four ways to send the receive SMS messages on voip.ms:
voip.ms allows you to receive and reply to SMS messages via email. This is a neat way to be notified that you have a new SMS, but I found three issues when I tried to use it for conversations...
Splitting longer messages is sort of buggy - see above.
The design of the gateway only allows you to receive and reply (sending an SMS to an existing number that has texted you before). This is probably because they use a unique ID in the subject line. If you want to start a conversation with a new number, you'll need to use one of the other options.
The messages arrive with a From: address of
[smsnumber] <email@example.com>. Since they all share the same email address, you can't attach names to them by saving new contacts in your email software.
A solution to 2. and 3. would be to use email addresses whose local-parts are unique and predictable per SMS number, like
firstname.lastname@example.org. Then, you could assign contact names to them, and send an SMS to new numbers directly by using the appropriate email address. (voip.ms, maybe you're listening!)
Desktop web app
This seems like it was built mostly for troubleshooting purposes. Not a good UI for having a conversation.
Mobile web app
Much better UI than the desktop site (also very usable in a desktop browser), but forces you to re-authenticate after a few minutes of inactivity, which isn't fun on a smartphone keyboard. It also doesn't appear to support push notifications, which people tend to expect with SMS.
REST/JSON API, a.k.a. "build your own SMS application"
This is really useful and I might use it to build an XMPP gateway. I think SMS via XMPP instant messaging would provide a good user experience on desktop and mobile OSes. XMPP has excellent non-proprietary clients for all the major platforms, despite its faults (e.g. managing state between multiple devices on the same account).
VoIP.ms SMS Android app
It looks like a Michael Kourlas wrote a native Android app using the voip.ms REST/JSON API. Unlike the voip.ms web applications, it has push notifications. From a few minutes of testing, it seems very good - the most usable of the existing options! My only hesitation is that it only works on Android OS, violating the design goal of platform agnosticism. It also leaks a little bit of metadata (which of your numbers receive an SMS and when) to the developer's Google Cloud Messaging broker, but again, there are much weaker links in the chain.
I haven't yet taken the plunge and ported my mobile number, but voip.ms seems very good. I'm only holding off because I'm not in love with any of their existing options for SMS. I may build a solution to that, and cover it in a subsequent post here. :)
(Opening photo credit Leonard J Matthews on Flickr.)