this post was submitted on 02 Sep 2023
87 points (100.0% liked)

Privacy Guides

16784 readers
40 users here now

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.


You can subscribe to this community from any Kbin or Lemmy instance:

Learn more...


Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!


This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.


Moderation Rules:

  1. We prefer posting about open-source software whenever possible.
  2. This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
  3. No soliciting engagement: Don't ask for upvotes, follows, etc.
  4. Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
  5. Be civil, no violence, hate speech. Assume people here are posting in good faith.
  6. Don't repost topics which have already been covered here.
  7. News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
  8. Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
  9. No help vampires: This is not a tech support subreddit, don't abuse our community's willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
  10. No misinformation: Extraordinary claims must be matched with evidence.
  11. Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
  12. General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

founded 1 year ago
MODERATORS
 

Compared to regular SIM cards.

SIMs are easier to swap if needing to switch phone, but I only see this as a convenience. I don't see why it would be more private.

I have little knowledge on how eSIMs work, but something in the back of my mind, tells me that somehow, eSIMs are bad for privacy :(

Anybody care to share their views on this?

all 38 comments
sorted by: hot top controversial new old
[–] jet@hackertalks.com 53 points 1 year ago (2 children)

e-SIM cards are not more private than physical SIM cards. Both of them bind to your phone, and the carrier will now know your IMEI and IMSI. Both of these can be tied to your phone even after you remove the SIM card.

So if you have a burner phone, and you attach it to a SIM card you own elsewhere, that burner is now tied to that identity.

If you're worried about tracking put your phone into airplane mode, at least for Android devices that's pretty good at disengaging from the towers. Then you won't be tracked by the cell companies, but you're limited to Wi-Fi.

But let's go crazy, let's say you buy a burner phone, and you only put eSims on it you buy anonymously, or SIM cards you buy with cash, that will still give your identity away by geographic proximity to your house. If you have the phone on in places that are connected to you, there will be location history showing you frequent those places. So if you're going to go to this level, you better not use cellular anywhere that's associated with you.

[–] Cheradenine@sh.itjust.works 22 points 1 year ago (2 children)

And of course, even on WiFi 'Google retains a detailed map of known Wi-Fi networks and access points. By knowing the exact location of these networks, and your proximity to them, its location services can gauge your location with roughly 30 feet of accuracy.'

Quote is from a Future Tense article from five years ago. https://slate.com/technology/2018/06/how-google-uses-wi-fi-networks-to-figure-out-your-exact-location.html

[–] jet@hackertalks.com 7 points 1 year ago

if your going down this route, you really can't use stock android. grapheneos

[–] jetsetdorito@lemm.ee 4 points 1 year ago (1 children)

I do get there are privacy ramifications to this, but the alternative is having to wait like 2+ minutes for a accurate gps lock every time your phone needs location.

[–] Cheradenine@sh.itjust.works 2 points 1 year ago

I do not mean this in a snarky way, everyone has their own priorities. I don't use location for anything. If I did, having to wait would be an inconvenience.

[–] PeachMan@lemmy.one 27 points 1 year ago (2 children)

All of your mobile traffic goes through your carrier. Assume that none of it is private, unless you're taking privacy measures like a trusted VPN.

I don't see how an eSIM is any worse than a SIM.

[–] online@programming.dev 14 points 1 year ago (6 children)

Totally.

I guess the privacy advantage of a regular SIM is that as soon as you pop out the sim card out of your phone, towers can't track you anymore.

With eSIMs on the other hand, I can never truly trust that an eSIM is de-activated? Feels like you actually just have a permanent sim card in your phone and your phone can just be tracked no matter the status of your eSIM. Or is this not technically possible?

[–] Cheradenine@sh.itjust.works 16 points 1 year ago

Towers can still track you by the IMEI number.

One of the suspects in the Bali bombings was caught because while they frequently changed Sims, they didn't change devices. They were tracked by the IMEI.

[–] nottheengineer@feddit.de 8 points 1 year ago

That's correct. Iphones are especially vulnerable to that since they don't shut down all the way and always keep some radios enabled. Android devices will generally shut down properly.

But in any case, do you really need to worry about tracking by a carrier? Locating a phone is possible but not easy and usually only happens when it's specifically requested by the police.

If that's your threat level, you probably don't want to own a phone at all.

[–] regalia@literature.cafe 5 points 1 year ago

You can erase the eSim. You can also turn it off, but I'm not sure to what extent is it disabled.

[–] Raisin8659@monyet.cc 4 points 1 year ago (1 children)

Turn it off and put it in a Faraday-cage bag.

[–] ReversalHatchery@beehaw.org 3 points 1 year ago (1 children)

And now I have an expensive brick, as I can't use it. Thanks.

[–] oo1@kbin.social 3 points 1 year ago

look on the bright side; if you get a few more, you could build an expensive wall

[–] OmnipotentEntity@beehaw.org 4 points 1 year ago

If a phone can track you with a deactivated eSIM then it can also track you without a SIM, by just also giving you a secret eSIM for use when your regular SIM is missing, and then simply lying to you about it.

[–] PeachMan@lemmy.one 3 points 1 year ago* (last edited 1 year ago)

The SIM is just an identifier. There's nothing particularly special on a SIM card, that's why the switch to eSIM has happened so seamlessly. So, you're right; it's totally POSSIBLE that an eSIM could stick around if you delete. But it's also possible that your phone could save the info on a SIM card.

For the record, I don't think that's likely. Your phone's operating system (iPhone or Android) is built by a different company than the carriers that presumably want to track you. I doubt they're secretly colluding with carriers, because Apple and Google (especially Google) have enormous business models built around tracking you, and profiting off your data.

[–] HughJanus@lemmy.ml 4 points 1 year ago (2 children)
[–] Scolding7300@lemmy.world 4 points 1 year ago* (last edited 1 year ago) (1 children)

What other info can help distinguish between regular sims and esims in terms of privacy?

Or alternatively what's missing from thecomments?

Asking, not trying to challenge you, I'm honestly trying to learn

[–] HughJanus@lemmy.ml 2 points 1 year ago

What other info can help distinguish between regular sims and esims in terms of privacy?

Don't know but OP asked a very specific question and this person gave a very generic answer that didn't address the question that was asked at all.

[–] PeachMan@lemmy.one 1 points 1 year ago

OP disagrees

[–] ReversalHatchery@beehaw.org 18 points 1 year ago (1 children)

I remember reading that for custom ROM developers it's complicated (or even not possible?) to implement eSIM support because the use of it requires google services.

[–] MajesticFlame@lemmy.one 20 points 1 year ago

As I understand it, it is not impossible, just too much effort to register an esim without google services. However, once registered, they are not needed anymore. So one solution is to register the esim on stock android before installing a custom ROM.

GrapheneOS has an even better solution where you can temporarily install google services in userspace and give them control of the esim module to register an esim and then remove the access and optionally uninstall them.

[–] WhoRoger@lemmy.world 10 points 1 year ago (2 children)

It depends whether you can buy one anonymously - you probably can't, I guess, as for what I know, providers tend to offer eSIM only with contracts and not prepaid options. Physical SIMs you can get on the street in many places, vending machines, eBay, wherever.

Tho there isn't really any reason why eSIMs couldn't be sold the same way, as it's just a QR code.

The other problem is that in order to move the eSIM from one phone to another, it needs to be deactivated on the first one, which requires an internet connection. That's more of a practical concern than one of privacy I guess.

[–] Infiltrated_ad8271@kbin.social 9 points 1 year ago (1 children)

Physical SIMs you can get on the street in many places, vending machines, eBay, wherever.

Unfortunately there are many countries where the law requires activation with identity documents.
Surely somewhere one can find them already activated, but I wonder what legal or other kind of problems it may cause.

[–] WhoRoger@lemmy.world 3 points 1 year ago

Most countries in fact, but you can get them if you want. Though I guess you never know if it's not a honeypot operation.

[–] jet@hackertalks.com 3 points 1 year ago (1 children)

you can get pre-paid esims easily with Arlo and other travel e-sim vendors. If you use a gift card to pay, its pretty anonymous (but once you tie it to a phone, you lose that)

[–] WhoRoger@lemmy.world 1 points 1 year ago

Cool, it's still more of an exception though. Here in most of Europe it's barely a thing.

[–] xilliah@beehaw.org 6 points 1 year ago (2 children)

Afaik simcards run a simplified version of Java that has full hardware access and can be updated remotely. I don't see how it can possibly get any worse than that.

[–] regalia@literature.cafe 6 points 1 year ago (1 children)

It doesn't have full hardware access, it's sandboxed.

[–] xilliah@beehaw.org 2 points 1 year ago (1 children)

I'm no expert in the matter, I learned it from a def con-like talk.

[–] regalia@literature.cafe 2 points 1 year ago (1 children)

Nvm that may be a GrapheneOS only thing, idk

[–] xilliah@beehaw.org 2 points 1 year ago

Well if it's anything like the IME then you can disable it on a hardware level, and an OS wouldn't have any control over it.

[–] morrowind@lemmy.ml 3 points 1 year ago (3 children)

What do you mean by simcards "run"? I thought they only stored data?

[–] xilliah@beehaw.org 5 points 1 year ago (1 children)

I'm no expert in the matter however this is what I understand from it.

Chips like the one in your debit card are fully fledged computers and do run software. When you plug it into something it receives power and interfaces with the other system. That's why it is secure, because like a pc it can use encryption etc.

Come to think of it, they must also be able to run with the low power provided by near field transmission, aka contactless payment.

Anyhoots the same kinda chip is on a simcard.

As far as I understand it they run a more limited version of Java, has full access to your hardware including being able to read all memory, and being updatable remotely.

You might also be interested to know that modern hardware commonly has such secondary computers with full access built in. Take the intel management engine for example, which is part of every modern intel cpu. However there are privacy oriented companies that disable these.

The real question is who has access to these things and what are their interests. It might not necessarily be a malevolent actor. It's one of the challenges of our time to answer questions related to these topics.

[–] morrowind@lemmy.ml 2 points 1 year ago

Yeah I knew about nfc. That's kinda wild. Didn't realize it could actually process anything on card.

[–] lemann@lemmy.one 3 points 1 year ago

Nope, they are computers that run a Java-based OS.

If we want to talk about smartcards in general (contactless, chip-based, dongle-based) some of them only store/retrieve data, some only store a single unchangeble identifier, but others like banking cards & transit cards tend to run a small operating system that you can talk to, and even run applications on.

With a cheap USB card reader, you can actually interact with the operating system on a chip-based bank card using Linux

[–] Laitinlok@discuss.tchncs.de 3 points 1 year ago

The only thing it improves is data security which can in some extent resist against identity theft, financial fraud, etc. Does having an eSIM card improve my data security?

Yes, there are significant security benefits. An eSIM card cannot be stolen without stealing the phone, whereas removable SIM cards are sometimes stolen, and used in port out scams. That's when identity thieves fraudulently swap stolen SIM cards into different phones to gain access to the victim’s calls and text messages. The thieves may then try to reset credentials and gain access to the victim's financial and social media accounts.

For more information about SIM swapping, port out scams, cell phone cloning and subscriber fraud, see our consumer guide on cell phone fraud. https://www.fcc.gov/consumers/guides/esim-cards-faq