I will keep using SIM as long as it is possible, not only is eSIM a way for operators to impose restrictions on unlocked pre-paid phones, some really like to take their cut every time that eSIM gets moved, for something free of charge and doable under a few seconds with a regular SIM.
What good is competition if privacy are not maintained?
If anything, lack of privacy is causing this massive "gold rush" toward eSIM. Ancillary benefits are massive for ad companies, vendors, sales, marketers.
I bought an iPhone 16e which I am about to sell, not only because of iOS 26 (horrific looking and battery drain), but I did not know they switched to only eSIMs. I have a flip phone which I like to use when I have no need for a smart phone. Now there is no way for me to switch. Plus, I know when I take out my SIM there is no way any one is tracking my phone.
eSIMs just another way these companies are trying to control, and as you said, profit, off of their customers.
I see this as taking ownership away from the customer as well. I no longer own the SIM in essence.
eSIM provisioning needs wifi. Which means that eSIM transfer can be blocked at any of the bajillion internet levels. eSIM is backwards technology at DRM'ing our devices and the access service
Thanks to Wireguard and basically 0% battery overhead on Android I always keep it activated. If you don't have a Wireguard endpoint just use Orbot to route it through Tor.
Did that several times using cheap eSIMs while traveling.
Never had a single problem with it (but increased latency because of weird routings around the world).
> Never had a single problem with it (but increased latency because of weird routings around the world).
UDP (which WireGuard uses to encapsulate your data) traffic is often de-prioritized. You won't notice it when the network load is low, but it will seriously degrade experience during high load periods.
> We first show how travel eSIMs often route user data through third-party
networks [---] Second, we analyze the implications of opaque provisioning
workflows, documenting how resellers can access sensitive user data [---]. Third, we validate operational risks such as deletion failures and profile lock-in using a private LTE testbed.
So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered. Table 1 is worth a read. The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS. If you're on DoH (DNS over HTTPS), you're even using it for host lookups.
What matters very much in practice is the latency. It's fine if you just need a little bit of connectivity to occasionally send a message or be able to find something on Google Maps, but just browsing the web can be painfully slow with some of the providers.
> The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS.
That should matter a lot to the common person, TLS or not doesn't matter, what matters is who talks to who, and who talks when. That information alone can give you many useful insights.
TLS exposes hostnames in plaintext via SNI. If using TLS version below 1.3 hostnames contained in the server certificate are in plaintext, too. ECH still "experimental", not in widespread use, no delivery deadline.
In theory encryption is something that protects the "common person", but SillyCon Valley's version of encryption, "TLS", is, unfortunately, mostly used for data exfiltration by third party intermediaries, so-called "tech" companies, i.e., opportunistic "business people".
Rather than protecting the "common person", the _primary_ use of "TLS"
is to faciltate violation of the "common person's" privacy for profit, and to protect the third party intermediary's privacy intrusions from detection by the "common person", by making it difficult for the "common person" to monitor the outgoing traffic from their computers.
The privacy risk created by this third-party controlled encryption ("TLS") is why corporations must perform "TLS inspection". They have to decrypt TLS connections and then re-encrypt them in order to monitor the outgoing traffic from their networks. But the opportunistic "business people" in SillyCon Valley know the "common person" will not do TLS inspection.
But that's not all. Further third parties, more opportunistic "business people" called "certificate authorities" play a disproportionate role in brokering TLS connections, deciding on behalf of the "common person" who is trustworthy and who is not. This largely relies on "ICANN DNS", another laughable SillyCon Valley implementation, and is thus severely flawed, but that is another topic.
SillyCon Valley's so-called "tech" companies utilise this third party "CA system" to make it difficult for the "common person" to exercise control over deciding who they want to trust or distrust, e.g., by frustrating the use of so-called "self-signed certificates" by the "common person". Meanshile, the SillyCon Valley companies ensure that _by default_ the SillyCon Valley companies' certificates are trusted. In some cases, the certificates (or their digital fingerprints) are hardcoded into software used by the "common person".
Despite what the average "tech" worker would like the "common person" to believe, "TLS" is not synonymous with "encryption". Nor is criticism of TLS necessarily criticism of encryption. TLS is only a lame, user-hostile implementation of encryption that the "common person" must suffer while so-called "tech" companies use it to protect their surreptitious data collection from the "common person".
> So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered.
When the bar of entry is lowered, than that makes it easier for providers who offer privacy to enter the market. So that people who care about this sort of thing can choose them.
The fact that Chinese domestic cell users can only use phones sold in China on eSim, and as soon as they leave China the eSims no longer work, gives me pause that there is some nascent security hole in them.
Why would they take such extreme measures if there wasn’t some issue with the security?
The telco is probably from Hong Kong, and using home-routed roaming, that is subscribers access the visited network through the home PDN gateway (H-PGW). When I roam with mine my IP is always from my home country. There is nothing insidious happening.
I read some of the article and stil not sure what is so unique about eSIM compared to physical SIMs. Is routing user traffic through third-party infrastructure unique to eSIM?
The other risks mentioned are mostly rare edge cases
Removing the need to ship a physical SIM card created an entirely new ecosystem.
There is very little difference between a physical SIM from provider X and an eSIM from provider X (except that one requires an available physical slot and the other is a pain to move between devices), but eSIM allowed many new provider and reseller business models.
In practice, this means much more choice, much lower prices, but often also lower quality because everything is optimized to be as cheap as possible and often involves roaming agreements where your traffic gets sent on high-latency world tours.
This is a weird title and IMO should have included "international resellers" to emphasise the risks are sourced from there, not really due to the eSIMs themselves. Those online-only, travel-oriented resellers, are incorporated or using providers from unregulated or less regulated markets.
If you use an eSIM provided by your own domestic carrier, which I do and many of my friends, especially when having more than one phone number, almost none of the risks in the paper are applicable.
Calling it "eSIM" is BS marketing. Every time I've used them it's been painful. I don't know the details but it absolutely is not "SIM technology". "eSIM" is something completely different.
A regular SIM: you just pop a SIM card into your phone and it just God damn works.
But eSIMs? I've used eSIMs from five carriers in three different countries and every time there is some issue:
* "Oh you need our god awful app to install an eSIM" (of course I couldn't easily download it because Google play geo hides apps).
* "If your phone is stolen overseas you can simply use this QR barcode again to register an eSIM to a new phone" (I couldn't).
* "Works with all phones". (It didn't because phone manufacturers have to bake Telco specific data into your phones firmware. Not supported? You're shit out of luck).
I could go on..
The fact that there are now privacy and security issues is not surprisingly at all. This isn't teetching issues. The drafters of the eSIM standard should be publicly flogged.
It's an emulated sim card, it really does emulate that weird little Java processor and everything. It's totally "SIM technology" in that sense, even if it's not conventient because of the restrictions of the emulation device.
Well, a regular SIM mostly just works, except for when it doesn't.
I haven't had any APN issues with regular SIMs in a while actually, but it used to be a common problem that would only sometimes auto-configure correctly. I've definitely had to google carrier APN settings and fiddle with them for a while to get text, MMS, and internet access working properly.
I also recently had an issue where I moved my US MVNO provider SIM to a new phone and it mostly worked, except for RCS. When I called them, they claimed my phone model wasn't compatible with their network, despite me already using it on their network for months. Apparently in their opinion SIMs should never actually be moved to a different phone. They offered to sell me a new phone, but I switched to a new carrier instead.
I've also had APN issues with physical SIMs, they are definitely not perfect. But I have never had an unusable "bricked" physical SIM. My eSIMs gripes are from being unable to use the eSIM at all. It's essentially a brick at that point.
RCS is a whole another kettle of fish indeed and the fact it only works with Play Integrity being on Device/Strong and the bootloader being locked is absolutely asinine to me.
They used cool hardware to do this research: the sysmoEUICC1 (https://shop.sysmocom.de/sysmoEUICC1-eUICC-for-consumer-eSIM...) which is a physical SIM card onto which one can load an eSIM, and they put it in a SIMtrace 2 device (https://osmocom.org/projects/simtrace2/wiki) to trace the data packets to/from the eSIM profile, which is normally not easily doable as modern phones load the eSIM on a chip soldered onto the phone's motherboard. So you end up with a goofy contraption (see figure 4 on page 8) but you have full visibility into the communications to/from the eSIM profile. Fun!
* Provision of Services The Services to Customer will be provided by our Technology Partner - TP Global Operations Limited, a limited liability company incorporated and registered in England and Wales with company number 14109189 whose registered office is at 109 Farringdon Road, Farringdon, London, EC1R 3BW, UK (“1GLOBAL”). *
Registered address:
The Valley - Beethovenstraat 505 North tower, Level 6. Amsterdam 1083HK, Netherlands
So we're at 3 levels of indirection on ownership already.
In practice, 1 Global is the trading name of TP Global because it's the successor company to 'Truphone':
> In 2022 the Company was selected in a competitive bidding process, conducted by a UK court appointed administrator
of Truphone Limited (“Truphone”), to acquire all the business and assets of Truphone (the “Acquisition”).
And this company was an investment option for Russian oligarchs:
> In December 2024, German Manager Magazin revealed that Russian oligarchs Abramovich, Abramov and Frolov, who had previously owned 96% of Truphone and invested more than €360 million in the company, could still benefit from any success achieved by 1Global.
The paper is somewhat title-bait: most of the data flow and privacy concerns (section 3) isn't caused by eSIM but by MVNO and business practices which applies to physical SIM as well. Additionally, it's expecting too much from _travel_ SIM cards (physical or embedded) where the primary consumer concern is cost.
> This has fueled a global marketplace of online eSIM resellers [54], operating across borders with minimal regulatory oversight. These services are typically marketed through web stores and mobile apps, with providers operating across borders and often facing minimal regulatory oversight.
But this is exactly the situation we have with VPNs. VPNs have proven themselves to be a useful tool for censorship circumvention, and foreign eSIMs are thus an interesting alternative suitable for this purpose, especially if traditional VPNs are blocked by the state.
37 comments
[ 2.9 ms ] story [ 49.5 ms ] threadIf your provider is trying to charge you every time yo need to move your SIM, have you considered a different provider?
If anything, lack of privacy is causing this massive "gold rush" toward eSIM. Ancillary benefits are massive for ad companies, vendors, sales, marketers.
eSIMs just another way these companies are trying to control, and as you said, profit, off of their customers.
I see this as taking ownership away from the customer as well. I no longer own the SIM in essence.
Did that several times using cheap eSIMs while traveling.
Never had a single problem with it (but increased latency because of weird routings around the world).
UDP (which WireGuard uses to encapsulate your data) traffic is often de-prioritized. You won't notice it when the network load is low, but it will seriously degrade experience during high load periods.
So not about eSIM the technology, but the business landscape inviting opportunistic business people when the bar of entry is lowered. Table 1 is worth a read. The outrage bait about traffic being routed through China shouldn't matter too much to the common person, since we're mostly using TLS. If you're on DoH (DNS over HTTPS), you're even using it for host lookups.
That should matter a lot to the common person, TLS or not doesn't matter, what matters is who talks to who, and who talks when. That information alone can give you many useful insights.
In theory encryption is something that protects the "common person", but SillyCon Valley's version of encryption, "TLS", is, unfortunately, mostly used for data exfiltration by third party intermediaries, so-called "tech" companies, i.e., opportunistic "business people".
Rather than protecting the "common person", the _primary_ use of "TLS" is to faciltate violation of the "common person's" privacy for profit, and to protect the third party intermediary's privacy intrusions from detection by the "common person", by making it difficult for the "common person" to monitor the outgoing traffic from their computers.
The privacy risk created by this third-party controlled encryption ("TLS") is why corporations must perform "TLS inspection". They have to decrypt TLS connections and then re-encrypt them in order to monitor the outgoing traffic from their networks. But the opportunistic "business people" in SillyCon Valley know the "common person" will not do TLS inspection.
But that's not all. Further third parties, more opportunistic "business people" called "certificate authorities" play a disproportionate role in brokering TLS connections, deciding on behalf of the "common person" who is trustworthy and who is not. This largely relies on "ICANN DNS", another laughable SillyCon Valley implementation, and is thus severely flawed, but that is another topic.
SillyCon Valley's so-called "tech" companies utilise this third party "CA system" to make it difficult for the "common person" to exercise control over deciding who they want to trust or distrust, e.g., by frustrating the use of so-called "self-signed certificates" by the "common person". Meanshile, the SillyCon Valley companies ensure that _by default_ the SillyCon Valley companies' certificates are trusted. In some cases, the certificates (or their digital fingerprints) are hardcoded into software used by the "common person".
Despite what the average "tech" worker would like the "common person" to believe, "TLS" is not synonymous with "encryption". Nor is criticism of TLS necessarily criticism of encryption. TLS is only a lame, user-hostile implementation of encryption that the "common person" must suffer while so-called "tech" companies use it to protect their surreptitious data collection from the "common person".
When the bar of entry is lowered, than that makes it easier for providers who offer privacy to enter the market. So that people who care about this sort of thing can choose them.
Why would they take such extreme measures if there wasn’t some issue with the security?
https://www.sakuramobile.jp/japan-sim-card/local-japan-esim-...
EDIT: Last time I went to Japan, I bought an esim from https://jjesim.com/esim
The other risks mentioned are mostly rare edge cases
There is very little difference between a physical SIM from provider X and an eSIM from provider X (except that one requires an available physical slot and the other is a pain to move between devices), but eSIM allowed many new provider and reseller business models.
In practice, this means much more choice, much lower prices, but often also lower quality because everything is optimized to be as cheap as possible and often involves roaming agreements where your traffic gets sent on high-latency world tours.
If you use an eSIM provided by your own domestic carrier, which I do and many of my friends, especially when having more than one phone number, almost none of the risks in the paper are applicable.
A regular SIM: you just pop a SIM card into your phone and it just God damn works.
But eSIMs? I've used eSIMs from five carriers in three different countries and every time there is some issue:
* "Oh you need our god awful app to install an eSIM" (of course I couldn't easily download it because Google play geo hides apps).
* "If your phone is stolen overseas you can simply use this QR barcode again to register an eSIM to a new phone" (I couldn't).
* "Works with all phones". (It didn't because phone manufacturers have to bake Telco specific data into your phones firmware. Not supported? You're shit out of luck).
I could go on..
The fact that there are now privacy and security issues is not surprisingly at all. This isn't teetching issues. The drafters of the eSIM standard should be publicly flogged.
I haven't had any APN issues with regular SIMs in a while actually, but it used to be a common problem that would only sometimes auto-configure correctly. I've definitely had to google carrier APN settings and fiddle with them for a while to get text, MMS, and internet access working properly.
I also recently had an issue where I moved my US MVNO provider SIM to a new phone and it mostly worked, except for RCS. When I called them, they claimed my phone model wasn't compatible with their network, despite me already using it on their network for months. Apparently in their opinion SIMs should never actually be moved to a different phone. They offered to sell me a new phone, but I switched to a new carrier instead.
How does that work with an eSIM?
[0] Website, https://saily.com/
[1] Actual operator is 1GLOBAL alias TP Global
* Provision of Services The Services to Customer will be provided by our Technology Partner - TP Global Operations Limited, a limited liability company incorporated and registered in England and Wales with company number 14109189 whose registered office is at 109 Farringdon Road, Farringdon, London, EC1R 3BW, UK (“1GLOBAL”). *
https://saily.com/legal/b2b-terms-of-service/
Registered address: The Valley - Beethovenstraat 505 North tower, Level 6. Amsterdam 1083HK, Netherlands
So we're at 3 levels of indirection on ownership already.
In practice, 1 Global is the trading name of TP Global because it's the successor company to 'Truphone':
> In 2022 the Company was selected in a competitive bidding process, conducted by a UK court appointed administrator of Truphone Limited (“Truphone”), to acquire all the business and assets of Truphone (the “Acquisition”).
And this company was an investment option for Russian oligarchs:
> In December 2024, German Manager Magazin revealed that Russian oligarchs Abramovich, Abramov and Frolov, who had previously owned 96% of Truphone and invested more than €360 million in the company, could still benefit from any success achieved by 1Global.
So yeah, maybe avoid.
But this is exactly the situation we have with VPNs. VPNs have proven themselves to be a useful tool for censorship circumvention, and foreign eSIMs are thus an interesting alternative suitable for this purpose, especially if traditional VPNs are blocked by the state.