Mandatory ID is the breach, not the fix.

Opening Claim

The FCC proposal requires telecoms to collect government-issued identification from every prepaid mobile customer. This is not security policy. It is a centralized identity registry attached to a communications graph. The stated objective is attribution. The mechanism is mass identification of subscribers who previously had none on record.

The framing matters. A burner phone is not a threat. It is a privacy boundary. The boundary exists because anonymous prepaid devices break the link between a real-world identity and a communications endpoint. Removing that boundary does not measurably reduce crime in any outcome that has been demonstrated in the public record. It produces a dataset. The dataset is the actual product of this policy.

That dataset becomes the asset. Every prepaid subscriber identity sits inside carrier systems that have a recurring breach history. The specific carriers, breach counts, and disclosure dates are public record and do not need to be restated here. The question is not whether the data is misused. The question is who reaches it first: a subpoena, a SIM-swap crew, a contracted insider, or a credential-stuffed account on a carrier portal. Each of those access paths already exists. The policy adds a verified identity to every record they can touch.

The Original Assumption

The prepaid model in the United States was built on disposability. A user could buy a SIM with cash, activate it without a verified ID check, and operate a phone number that was not tied to a confirmed real-world identity at the point of sale. That was the practical baseline. It served domestic abuse survivors, journalists protecting sources, activists, and ordinary people who did not want every call resolvable to their legal name. The threat model behind that choice was specific: a hostile party with the means to query a carrier should not be able to identify the user.

The carriers tolerated this because enforced identity verification on prepaid had not arrived in the United States in any binding form. Other jurisdictions made the opposite decision years earlier. The presence of mandatory SIM registration in other countries is documented. The US prepaid market remained one of the larger jurisdictions where a phone number did not require an identity document at the point of sale. That gap was not an oversight. It functioned as a control surface.

The assumption underneath that control was straightforward. Identity and communications endpoint should not be coupled by default. Coupling them creates a single dataset that, if compromised, exposes both at once. The prepaid carve-out kept those two things separate at the registration layer. Call detail records still existed. Cell-site location still existed. Metadata still existed. What did not exist was a verified key that resolved all of it to a named person without additional investigative work. The friction was the protection.

What Changed

The FCC proposal moves the identification requirement to the carrier and makes it a condition of service. Telecoms become the collection point for government-issued ID, bound to the SIM, bound to the device identifier, bound to the assigned number, bound to the call records the carrier already retains under existing retention obligations. The collection mechanism is not new. The aggregation point is. The identity verification step is now upstream of every record the carrier generates from that moment forward.

The user brief references biometric data and location and call pattern collection as part of the policy scope. That specific scope is not confirmed in the public proposal at this point. What is confirmed is the identity verification requirement at registration. The remainder is the predictable consequence of attaching a verified identity to a communications endpoint that already produces call detail records, cell-site location, and signaling metadata as a function of normal carrier operation. The data was always there. The identity was the missing key. The policy supplies the key.

Once that key exists, the existing data stops being pseudonymous. Every historical record tied to that number resolves to a person. Every future record resolves to a person. The carrier becomes the de facto holder of an identity-resolved communications graph for every prepaid customer in its base. Access to that graph through court order, through breach, through insider abuse, through SIM-swap social engineering, or through lawful intercept, is no longer constrained by the difficulty of identifying the subscriber. The hardest step in subscriber attribution has been removed at the source, by regulation, and stored in systems whose breach history is already documented.

Mechanism of Failure or Drift

The mechanism described in the proposal creates a single-key system. Identity verification at registration produces a stored credential that resolves every downstream record the carrier generates against that subscriber. The failure mode is structural. It does not depend on bad faith. It depends only on the existence of the key and on the existing access paths to carrier data.

OSINT collection against a target currently requires bridging a gap. Either a known identity needs to be matched to an unknown number, or a known number needs to be matched to an unknown identity. That bridging step has historical friction. Prepaid numbers without a registered identity required correlation work: tower-adjacent geotagged content, voluntary disclosure by the target, paid data broker queries against name and address to find associated lines, or social engineering against the target’s contacts. The friction was the protection. The protection was not a control inside the carrier. It was an absence of a key.

A verified prepaid registry collapses that friction at the source. A query that returns a name from a number, or a number from a name, becomes a single lookup against the carrier record. The query does not need to be legal to succeed. The query needs to reach the record. Reaching the record requires one of a small number of access paths: a subpoena pipeline, a SIM-swap pretext against carrier support, a credential-stuffed retailer or carrier portal account, an insider with retail or back-office access, or a breach of the subscriber database. Every one of those access paths is documented in public incident reports against US carriers. None of them are theoretical. The proposal does not modify any of them. It adds a verified identity to the records they already touch.

Expansion into Parallel Pattern

The same mechanism has run before. Mandatory identity collection at a service registration point, stored in systems with pre-existing weak access controls, produces predictable exposure when a breach or insider event occurs. The pattern does not depend on the type of service. It depends on the coupling of verified identity to behavioral records at a single collection point that the operator does not modify before the mandate takes effect.

The pattern is present in financial KYC datasets where identity documents are stored alongside transaction history and then exposed in vendor breaches. It is present in age-verification mandates where third parties collect government ID and the collection point is breached independently of the platform that required it. It is present in mandatory SIM registration regimes in other jurisdictions where leaked registry data was subsequently used to target named subscribers. The specific incidents are public record. The structural feature is identical across all of them: a regulatory mandate produces a dataset, the dataset is held in systems whose breach surface predates the mandate, and the breach surface is not modified by the mandate.

The prepaid registry will track the same curve unless storage architecture, access controls, audit enforcement, and retention limits are specified and bound to the collection requirement. Storage and access control modifications are not part of the FCC proposal as cited in the brief. That gap is the mechanism. The data will exist. The access paths will exist. The matching identities will exist. The only variable left is latency between collection and the first material misuse. Latency is not a control.

Hard Closing Truth

A communications endpoint coupled to a verified identity at the carrier layer is not a privacy exposure that can be patched after the fact. The coupling is the system. Once the registry exists, the only operational question is who reaches it and under what authority. Subpoena, breach, insider abuse, SIM-swap pretexting, and lawful intercept are not equivalent threats, but they all act on the same dataset. The dataset is the single point of failure. There is no compensating control proposed alongside it.

For the operator, the conclusion is direct. A prepaid SIM in the post-registration regime is no longer a privacy boundary. It is a registered communications endpoint with the same attribution properties as a postpaid line. Any threat model that previously relied on prepaid disposability as a separation layer between identity and number requires revision now, not after rollout. The categories of user who depended on that separation, including domestic abuse survivors, journalists protecting sources, and individuals operating under hostile-state attention, are not protected by the proposal. They are catalogued by it. That is the outcome, regardless of intent.

The FCC has not proposed a security control. It has proposed a collection mandate. The framing of attribution as a public safety outcome is not supported by demonstrated crime reduction in the public record as cited. The actual deliverable is a centralized identity-resolved communications graph held by entities with documented breach history. Any threat model built against a target population on US infrastructure should treat the registry as compromised at the moment it goes live. Treating it otherwise is not a security position. It is an assumption that the system will behave better than every comparable system has behaved before it. That assumption is not supported.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.