You are your phone number

I look at the title of this post, and I have this nagging sense that it reads like the title to an essay on societal trust and relationships.

I actually wanted to posit something different: imagine a world where changing your phone number prevents you from buying food.

Welcome to absurdity

Sounds absurd, right?

The idea that a means of communicating with me is so tightly linked with my life that if it changes, for any reason, I risk a massively deleterious effect, like starvation. Let's follow this through first and ask why might it change? Off the top of my head: benign reasons like I just don't want to do the paperwork to port the number over if I don't fancy it, or more privacy related reasons like I want to reset my privacy and restrict the sharing of a new number, or because the company who owns the phone number decides they don't want me on their network anymore.

Obviously this is a pretty stretched circumstance, and I haven't even addressed the link between phone number and food purchase. Porting a phone number between carriers (certainly in the UK) is trivial exercise that involves maybe a phone call and/or a web form, because carrier interoperability is legislated. Buying a second sim is painless enough and requires nothing more than a bank account. The companies who own the phone networks themselves have little to no interest in banning individuals from usage, and would have to coordinate those bans between themselves, otherwise the individual will simply network-hop. The incentives aren't there.

But this is exactly the world we live in if I swap phone number for email address.

If I change my email without thinking about it very carefully, suddenly I can't log in to bank 1, or social media, or hotel booking platform, or my smart lighting system in my own damn home. Or supermarket. Or a dozen other services that I don't remember I need until my email address has gone away.

All of the things that make my phone number fairly stable 2 just don't exist for email. Email has none of the supporting neutrality and interoperability rules 3.

Email, why?!

Email is attached to domains (google.com, microsoft.com, etc), and domains are attached to external entities, and I can't move an email address like I can a phone number. It would be like having a phone number that was 0123456789-O2 or 0123456789-EE - it's impossible to strip the O2 or the EE parts between migrations. This means if I've signed up for free email from Google, but later decide I'd prefer Microsoft to look after my mail, I can't switch. There is no PAC (Porting Authorisation Code) for email. I close down one, and open up another and here I am, potentially locked out of every service I signed up for with the old email until I can reverify using some other mechanism. No universal transfer button, just a lot of very tedious administration.

Technically, email has been coopted on the internet for 4 different functions:

  1. Identifier — a unique string that services use to recognise you ("this is the pieter account")
  2. Verification channel — proof you control that identifier ("click this link we sent you")
  3. Authentication — proving you're you on return visits ("enter your password / use your passkey")
  4. Recovery — getting back in when something breaks ("we'll send a reset link to...")

Your phone number can represent those four functions, but due to history, markets, economics and speed of technical iteration, we didn't start signing up for things with our phone numbers, we started signing up for them with our email addresses.

So, there's no supporting legislation or even incentive to be able to trivially port your email address between providers. The least interesting thing about an email address in 2026 is the fact you can communicate with someone using it, just like you could a phone number 4.

My email has become my identity. It's my login to the 347 different services I've signed up for over the 25+ years I've been using the internet, it's the 2FA recovery path, and the thing that banks and government services are linking against me, which means that's become my identity in a lot of the same ways my National Insurance number is.

Every platform I've touched is joined together by this thread, and crucially, even as we decouple the authentication function with things like passkeys/WebAuthn, we still have to provide email for identifier, verification and recovery, and those are very non-portable.

Obtaining sovereign internet identity

We can address each of the four functions of email by just owning them.

  1. Identity: own the domain. Buy a nice sensible address and rejoice in freedom. This I have.

  2. Verification: connect that domain to an email provider 5. I have sort of done this.

  3. Authentication: use whatever new email address I decide to use on all the services. I really haven't done this.

  4. Recovery: move all the old services to the new email address. I really, really haven't done this.

Important note though, until I've ticked all four of those boxes, I don't have sovereign identity. I have bits of it without the commitment to ownership or operation.

Once upon a time I half started down this road, and sorta lost it somewhere around step 2 and 3. I didn't pay for an actual email provider, rather, I configured Google Mail's aliases to receive from my custom domain, and half managed to figure out how to send from it (poorly). This is not a great experience for me, and even worse for everyone else because my email usually ends up in their spam.

Switching from theirs to mine

Obviously this isn't a new idea 6. But it's something that I absolutely failed to properly migrate to a long time ago, and so now I have to pay the migration costs.

I can export every message I've ever received, but it's the domain that creates the lock-in. I feel like the world has been pushing me (and everyone else) hard away from ownership and into renting of everything. Some times this is okay, and sometimes it feels like too much, and then I rebel 7 and the pendulum swings back to personal ownership.

I am extremely price-sensitive to technology and services, in a way that I'm just not in the real-world, and so like many people I have a gmail.com address. It was cheap and easily obtainable at a time when the services they were providing required an account to log in, and the account came with the email.

Relying on free services operated by other people is a risk I wasn't happy with 7 years ago, and I've gotten less happy over the years. Phone numbers have (some) portability that email never will, but in order to obtain that for myself, I need to treat email (and domains) more like I do my phone contract: monthly monetary commitment to ownership.

Notes

  1. Banks and various financial institutions have gone some way to figuring this out already, often by giving you a public login identifier that is decoupled from your email. That said, if I hit "forgot password" and my email is outdated, I'm still into a whole world of pain trying to fix it.

  2. Granted, stability in one geographic area, not globally. If you're moving country every-other-month then you have a whole set of different concerns, and ironically, a globally stable email address is a much better anchor. To say nothing of the security concerns. Still. They're more portable than email is the point.

  3. Google scanned your messages for ad-targetting for over a decade without it being illegal, and although there's some protection in the spirit of the wiretapping laws originally designed for phone conversations, I don't recall ever changing phone providers to get away from advertising.

  4. Corporate email addresses particularly are often trivially easy to guess, and extremely cheap to mass-deliver, so they're a great target for unsolicited outreach, which also has the effect of lowering the importance of their content in many cases.

  5. While it's technically feasible to host your own incoming and outgoing mailserver, it's not been possible to send email from residential IP addresses for years, and the risks and overhead of managing such a service are really best outsourced to companies who are happy to use their SMTP to send on my behalf.

  6. Derek Sivers has been preaching sovereignty as "tech independence" for quite some time, and the IndieWeb crowd are all about domain-as-identity, and content ownership.

  7. 7 years ago I wrote about "Designing my digital life (again)", ostensibly about privacy, but I read it back now and it's much more about sovereignty and ownership than privacy per-se.