Do eSIMs have any downsides from a privacy standpoint? - eviltoast

Compared to regular SIM cards.

SIMs are easier to swap if needing to switch phone, but I only see this as a convenience. I don’t see why it would be more private.

I have little knowledge on how eSIMs work, but something in the back of my mind, tells me that somehow, eSIMs are bad for privacy :(

Anybody care to share their views on this?

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    53
    ·
    1 year ago

    e-SIM cards are not more private than physical SIM cards. Both of them bind to your phone, and the carrier will now know your IMEI and IMSI. Both of these can be tied to your phone even after you remove the SIM card.

    So if you have a burner phone, and you attach it to a SIM card you own elsewhere, that burner is now tied to that identity.

    If you’re worried about tracking put your phone into airplane mode, at least for Android devices that’s pretty good at disengaging from the towers. Then you won’t be tracked by the cell companies, but you’re limited to Wi-Fi.

    But let’s go crazy, let’s say you buy a burner phone, and you only put eSims on it you buy anonymously, or SIM cards you buy with cash, that will still give your identity away by geographic proximity to your house. If you have the phone on in places that are connected to you, there will be location history showing you frequent those places. So if you’re going to go to this level, you better not use cellular anywhere that’s associated with you.

  • PeachMan@lemmy.one
    link
    fedilink
    English
    arrow-up
    28
    ·
    1 year ago

    All of your mobile traffic goes through your carrier. Assume that none of it is private, unless you’re taking privacy measures like a trusted VPN.

    I don’t see how an eSIM is any worse than a SIM.

    • online@programming.devOP
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      Totally.

      I guess the privacy advantage of a regular SIM is that as soon as you pop out the sim card out of your phone, towers can’t track you anymore.

      With eSIMs on the other hand, I can never truly trust that an eSIM is de-activated? Feels like you actually just have a permanent sim card in your phone and your phone can just be tracked no matter the status of your eSIM. Or is this not technically possible?

      • Cheradenine@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        16
        ·
        1 year ago

        Towers can still track you by the IMEI number.

        One of the suspects in the Bali bombings was caught because while they frequently changed Sims, they didn’t change devices. They were tracked by the IMEI.

      • nottheengineer@feddit.de
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        That’s correct. Iphones are especially vulnerable to that since they don’t shut down all the way and always keep some radios enabled. Android devices will generally shut down properly.

        But in any case, do you really need to worry about tracking by a carrier? Locating a phone is possible but not easy and usually only happens when it’s specifically requested by the police.

        If that’s your threat level, you probably don’t want to own a phone at all.

      • regalia@literature.cafe
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        You can erase the eSim. You can also turn it off, but I’m not sure to what extent is it disabled.

      • OmnipotentEntity@beehaw.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        If a phone can track you with a deactivated eSIM then it can also track you without a SIM, by just also giving you a secret eSIM for use when your regular SIM is missing, and then simply lying to you about it.

      • PeachMan@lemmy.one
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        The SIM is just an identifier. There’s nothing particularly special on a SIM card, that’s why the switch to eSIM has happened so seamlessly. So, you’re right; it’s totally POSSIBLE that an eSIM could stick around if you delete. But it’s also possible that your phone could save the info on a SIM card.

        For the record, I don’t think that’s likely. Your phone’s operating system (iPhone or Android) is built by a different company than the carriers that presumably want to track you. I doubt they’re secretly colluding with carriers, because Apple and Google (especially Google) have enormous business models built around tracking you, and profiting off your data.

      • Scolding7300@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        What other info can help distinguish between regular sims and esims in terms of privacy?

        Or alternatively what’s missing from thecomments?

        Asking, not trying to challenge you, I’m honestly trying to learn

        • HughJanus@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          What other info can help distinguish between regular sims and esims in terms of privacy?

          Don’t know but OP asked a very specific question and this person gave a very generic answer that didn’t address the question that was asked at all.

  • ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    I remember reading that for custom ROM developers it’s complicated (or even not possible?) to implement eSIM support because the use of it requires google services.

    • MajesticFlame@lemmy.one
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      As I understand it, it is not impossible, just too much effort to register an esim without google services. However, once registered, they are not needed anymore. So one solution is to register the esim on stock android before installing a custom ROM.

      GrapheneOS has an even better solution where you can temporarily install google services in userspace and give them control of the esim module to register an esim and then remove the access and optionally uninstall them.

  • WhoRoger@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    It depends whether you can buy one anonymously - you probably can’t, I guess, as for what I know, providers tend to offer eSIM only with contracts and not prepaid options. Physical SIMs you can get on the street in many places, vending machines, eBay, wherever.

    Tho there isn’t really any reason why eSIMs couldn’t be sold the same way, as it’s just a QR code.

    The other problem is that in order to move the eSIM from one phone to another, it needs to be deactivated on the first one, which requires an internet connection. That’s more of a practical concern than one of privacy I guess.

    • Infiltrated_ad8271@kbin.social
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      Physical SIMs you can get on the street in many places, vending machines, eBay, wherever.

      Unfortunately there are many countries where the law requires activation with identity documents.
      Surely somewhere one can find them already activated, but I wonder what legal or other kind of problems it may cause.

      • WhoRoger@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Most countries in fact, but you can get them if you want. Though I guess you never know if it’s not a honeypot operation.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      you can get pre-paid esims easily with Arlo and other travel e-sim vendors. If you use a gift card to pay, its pretty anonymous (but once you tie it to a phone, you lose that)

      • WhoRoger@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Cool, it’s still more of an exception though. Here in most of Europe it’s barely a thing.

  • Elise@beehaw.org
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Afaik simcards run a simplified version of Java that has full hardware access and can be updated remotely. I don’t see how it can possibly get any worse than that.

          • Elise@beehaw.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Well if it’s anything like the IME then you can disable it on a hardware level, and an OS wouldn’t have any control over it.

      • Elise@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        I’m no expert in the matter however this is what I understand from it.

        Chips like the one in your debit card are fully fledged computers and do run software. When you plug it into something it receives power and interfaces with the other system. That’s why it is secure, because like a pc it can use encryption etc.

        Come to think of it, they must also be able to run with the low power provided by near field transmission, aka contactless payment.

        Anyhoots the same kinda chip is on a simcard.

        As far as I understand it they run a more limited version of Java, has full access to your hardware including being able to read all memory, and being updatable remotely.

        You might also be interested to know that modern hardware commonly has such secondary computers with full access built in. Take the intel management engine for example, which is part of every modern intel cpu. However there are privacy oriented companies that disable these.

        The real question is who has access to these things and what are their interests. It might not necessarily be a malevolent actor. It’s one of the challenges of our time to answer questions related to these topics.

        • morrowind@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Yeah I knew about nfc. That’s kinda wild. Didn’t realize it could actually process anything on card.

      • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Nope, they are computers that run a Java-based OS.

        If we want to talk about smartcards in general (contactless, chip-based, dongle-based) some of them only store/retrieve data, some only store a single unchangeble identifier, but others like banking cards & transit cards tend to run a small operating system that you can talk to, and even run applications on.

        With a cheap USB card reader, you can actually interact with the operating system on a chip-based bank card using Linux

  • Laitinlok@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    The only thing it improves is data security which can in some extent resist against identity theft, financial fraud, etc. Does having an eSIM card improve my data security?

    Yes, there are significant security benefits. An eSIM card cannot be stolen without stealing the phone, whereas removable SIM cards are sometimes stolen, and used in port out scams. That’s when identity thieves fraudulently swap stolen SIM cards into different phones to gain access to the victim’s calls and text messages. The thieves may then try to reset credentials and gain access to the victim’s financial and social media accounts.

    For more information about SIM swapping, port out scams, cell phone cloning and subscriber fraud, see our consumer guide on cell phone fraud. https://www.fcc.gov/consumers/guides/esim-cards-faq