Privacy Guides @lemmy.one online @programming.dev 1 yr. ago

Do eSIMs have any downsides from a privacy standpoint?

Compared to regular SIM cards.

SIMs are easier to swap if needing to switch phone, but I only see this as a convenience. I don't see why it would be more private.

I have little knowledge on how eSIMs work, but something in the back of my mind, tells me that somehow, eSIMs are bad for privacy :(

Anybody care to share their views on this?

37 comments

e-SIM cards are not more private than physical SIM cards. Both of them bind to your phone, and the carrier will now know your IMEI and IMSI. Both of these can be tied to your phone even after you remove the SIM card.

So if you have a burner phone, and you attach it to a SIM card you own elsewhere, that burner is now tied to that identity.

If you're worried about tracking put your phone into airplane mode, at least for Android devices that's pretty good at disengaging from the towers. Then you won't be tracked by the cell companies, but you're limited to Wi-Fi.

But let's go crazy, let's say you buy a burner phone, and you only put eSims on it you buy anonymously, or SIM cards you buy with cash, that will still give your identity away by geographic proximity to your house. If you have the phone on in places that are connected to you, there will be location history showing you frequent those places. So if you're going to go to this level, you better not use cellular anywhere that's associated with you.
- And of course, even on WiFi 'Google retains a detailed map of known Wi-Fi networks and access points. By knowing the exact location of these networks, and your proximity to them, its location services can gauge your location with roughly 30 feet of accuracy.'
  
  Quote is from a Future Tense article from five years ago. https://slate.com/technology/2018/06/how-google-uses-wi-fi-networks-to-figure-out-your-exact-location.html
  
  if your going down this route, you really can't use stock android. grapheneos
  
  I do get there are privacy ramifications to this, but the alternative is having to wait like 2+ minutes for a accurate gps lock every time your phone needs location.
- And of course, even on WiFi 'Google retains a detailed map of known Wi-Fi networks and access points. By knowing the exact location of these networks, and your proximity to them, its location services can gauge your location with roughly 30 feet of accuracy.'
  
  Quote is from a Future Tense article from five years ago. https://slate.com/technology/2018/06/how-google-uses-wi-fi-networks-to-figure-out-your-exact-location.html
All of your mobile traffic goes through your carrier. Assume that none of it is private, unless you're taking privacy measures like a trusted VPN.

I don't see how an eSIM is any worse than a SIM.
- Totally.
  
  I guess the privacy advantage of a regular SIM is that as soon as you pop out the sim card out of your phone, towers can't track you anymore.
  
  With eSIMs on the other hand, I can never truly trust that an eSIM is de-activated? Feels like you actually just have a permanent sim card in your phone and your phone can just be tracked no matter the status of your eSIM. Or is this not technically possible?
  
  Towers can still track you by the IMEI number.
  
  One of the suspects in the Bali bombings was caught because while they frequently changed Sims, they didn't change devices. They were tracked by the IMEI.
  
  That's correct. Iphones are especially vulnerable to that since they don't shut down all the way and always keep some radios enabled. Android devices will generally shut down properly.
  
  But in any case, do you really need to worry about tracking by a carrier? Locating a phone is possible but not easy and usually only happens when it's specifically requested by the police.
  
  If that's your threat level, you probably don't want to own a phone at all.
  
  You can erase the eSim. You can also turn it off, but I'm not sure to what extent is it disabled.
  
  Turn it off and put it in a Faraday-cage bag.
  
  If a phone can track you with a deactivated eSIM then it can also track you without a SIM, by just also giving you a secret eSIM for use when your regular SIM is missing, and then simply lying to you about it.
  
  The SIM is just an identifier. There's nothing particularly special on a SIM card, that's why the switch to eSIM has happened so seamlessly. So, you're right; it's totally POSSIBLE that an eSIM could stick around if you delete. But it's also possible that your phone could save the info on a SIM card.
  
  For the record, I don't think that's likely. Your phone's operating system (iPhone or Android) is built by a different company than the carriers that presumably want to track you. I doubt they're secretly colluding with carriers, because Apple and Google (especially Google) have enormous business models built around tracking you, and profiting off your data.
- Really not helpful
  
  What other info can help distinguish between regular sims and esims in terms of privacy?
  
  Or alternatively what's missing from thecomments?
  
  Asking, not trying to challenge you, I'm honestly trying to learn
  
  OP disagrees
I remember reading that for custom ROM developers it's complicated (or even not possible?) to implement eSIM support because the use of it requires google services.
- As I understand it, it is not impossible, just too much effort to register an esim without google services. However, once registered, they are not needed anymore. So one solution is to register the esim on stock android before installing a custom ROM.
  
  GrapheneOS has an even better solution where you can temporarily install google services in userspace and give them control of the esim module to register an esim and then remove the access and optionally uninstall them.
It depends whether you can buy one anonymously - you probably can't, I guess, as for what I know, providers tend to offer eSIM only with contracts and not prepaid options. Physical SIMs you can get on the street in many places, vending machines, eBay, wherever.

Tho there isn't really any reason why eSIMs couldn't be sold the same way, as it's just a QR code.

The other problem is that in order to move the eSIM from one phone to another, it needs to be deactivated on the first one, which requires an internet connection. That's more of a practical concern than one of privacy I guess.
- Physical SIMs you can get on the street in many places, vending machines, eBay, wherever.
  
  Unfortunately there are many countries where the law requires activation with identity documents.
  Surely somewhere one can find them already activated, but I wonder what legal or other kind of problems it may cause.
  
  Most countries in fact, but you can get them if you want. Though I guess you never know if it's not a honeypot operation.
- you can get pre-paid esims easily with Arlo and other travel e-sim vendors. If you use a gift card to pay, its pretty anonymous (but once you tie it to a phone, you lose that)
  
  Cool, it's still more of an exception though. Here in most of Europe it's barely a thing.
Afaik simcards run a simplified version of Java that has full hardware access and can be updated remotely. I don't see how it can possibly get any worse than that.
- It doesn't have full hardware access, it's sandboxed.
  
  I'm no expert in the matter, I learned it from a def con-like talk.
- What do you mean by simcards "run"? I thought they only stored data?
  
  I'm no expert in the matter however this is what I understand from it.
  
  Chips like the one in your debit card are fully fledged computers and do run software. When you plug it into something it receives power and interfaces with the other system. That's why it is secure, because like a pc it can use encryption etc.
  
  Come to think of it, they must also be able to run with the low power provided by near field transmission, aka contactless payment.
  
  Anyhoots the same kinda chip is on a simcard.
  
  As far as I understand it they run a more limited version of Java, has full access to your hardware including being able to read all memory, and being updatable remotely.
  
  You might also be interested to know that modern hardware commonly has such secondary computers with full access built in. Take the intel management engine for example, which is part of every modern intel cpu. However there are privacy oriented companies that disable these.
  
  The real question is who has access to these things and what are their interests. It might not necessarily be a malevolent actor. It's one of the challenges of our time to answer questions related to these topics.
  
  It is called Java Card https://www.oracle.com/java/java-card/
  
  Nope, they are computers that run a Java-based OS.
  
  If we want to talk about smartcards in general (contactless, chip-based, dongle-based) some of them only store/retrieve data, some only store a single unchangeble identifier, but others like banking cards & transit cards tend to run a small operating system that you can talk to, and even run applications on.
  
  With a cheap USB card reader, you can actually interact with the operating system on a chip-based bank card using Linux
The only thing it improves is data security which can in some extent resist against identity theft, financial fraud, etc. Does having an eSIM card improve my data security?

Yes, there are significant security benefits. An eSIM card cannot be stolen without stealing the phone, whereas removable SIM cards are sometimes stolen, and used in port out scams. That's when identity thieves fraudulently swap stolen SIM cards into different phones to gain access to the victim’s calls and text messages. The thieves may then try to reset credentials and gain access to the victim's financial and social media accounts.

For more information about SIM swapping, port out scams, cell phone cloning and subscriber fraud, see our consumer guide on cell phone fraud. https://www.fcc.gov/consumers/guides/esim-cards-faq

You've viewed 37 comments.