It's worse than that. Not only are temporary bulk phone numbers cheap, phone verification is a profit center for spammers. Because they acquire a bunch of phone numbers for their own use, but each phone number can be used on any service that requires phone verification, so they can then sell phone verification service to other spammers or privacy-conscious individuals who don't want to give out their phone number, or set up a web page to do it that makes money from ads, and use the profits to expand their spamming operation. Not only that, the more services require phone number verification, the more profitable spamming becomes, because each number has an increased return since it can be used to sell an activation for an account on another service.

Meanwhile people who actually want privacy get screwed, because the spammer's account is going to get banned for spamming in less than a month either way, but a normal user would want to keep the same account indefinitely, and then the site demands that they keep access to the same phone number indefinitely. So then the honest users are stuck paying a monthly fee at the retail rate for a separate phone number for each service in order to avoid giving them all the same phone number to correlate with you. Whereas the spammers pay the wholesale rate once and then more than break even.

The anti-spam value of phone number verification is not just zero but actually negative. Its purpose is to harvest phone numbers from honest people for mass surveillance, and anyone requiring it is making the spam problem worse.

I agree.

Do you have any ideas against bots, or perhaps even spam? Or do we even need any verification to begin with? There are ways to prevent both, at different layers, but I am not sure what would be the best way, especially something that does not sacrifice privacy.

One of the things that works pretty well is invite codes. People want to use a service because their friends use it. Which is to say, because they have someone to get an invite code from. And invite codes don't track very much more than the service is going to learn by who you use the service to communicate with anyway.

But then banning spammers and bots gets a lot easier because it becomes trivial to trace where they got their invite codes and then shut off that account's ability to give them any more, and you have something to investigate if you see large numbers of accounts getting invite codes from the same account.

They can also be used as an alternative to other forms of verification. So to create an account you can either get an invite code, or provide something even more scarce than a phone number, like payment info. Either you have an invite code or you pay $5. Then most people don't have to pay anything because they get a code, people who want in but don't know anyone there yet can pay a nominal fee, and the spammers and bots can't easily do either of these things at scale.

My problem with invite codes is precisely the association to someone (metadata). It is a double-edged sword, because I would think twice before inviting someone (good!), but at the same time I do not want to be responsible for what they do, nor do I want to be associated to it. As for payment information, I would rather not provide that just to use an instant messenger, for example. Thankfully we have metadata-free IMs (e.g. Ricochet Refresh, Session, Briar). That said, I would not dismiss the idea of invite codes so quickly.

The premise of invite codes shouldn't be that you're responsible for anything someone you invite does. You are not your brother's keeper. If you invite a bot, the worst thing that should happen to you is that you're not allowed to issue invite codes anymore. But that's also all you need to solve the problem, because then the set of people who are careless with invite codes and the set of people who can still issue them ceases to overlap.

The nice thing about payments is that it makes an excellent fallback option, because spammers can't use it. It's not even about identifying the user, you can accept cryptocurrency and allow them to stay anonymous because someone who is going to have their account banned after only a few hours regardless can't invest even $5 in it, so it's about the money rather than the identity. And then it's not supposed to be the default option, but it can exist as an option for anyone the other options aren't working for.