I use GrapheneOS and love my privacy. However, I am not as knowledge in regards to simcards.
My family needed to get a new simcard while abroad and I was hesitant to get a new simcard and preferred to ‘hitchhike’ on a family members internet thearing so he could get a simcard instead of me.
It left me with the choice to:
- Get a Sim card
- Get an e-sim
- Let a family member get a simcard and hitchhike from their internet. (Internet hotspot thearing)
My question: Was my worry in vain and I could actually get an e-sim/Sim or did I do it correctly, making someone else get a Sim and share the internet to me? :P
What I’m worried of, is that I’m currently outside EU and I don’t want any weird hacking attempts towards me from the government. There are a lot of protests here, quite violent ones at times too, and I am aware that governments usually use stingrays or equivalent devices to identify or stalk people of interest.
Depends, as usual, on your threat model. I do not know where you live, where you went, what you do, who you are and thus who you worry about.
That being said :
- if you rely on someone else hotspot well you delegate the risk too. If they relay your traffic they can still shape or monitor your traffic. Obviously I would not expect your family member to do that… but if you are being monitored and there are data showing that you are not at home or work (wherever you usually are) and other data you are traveling together (e.g. plane tickets, border control with IDs checked, connection to services with different IPs) one could expect your surrounding to be potentially targeted. That is one extra hoop and it might protect from “shallow” surveillance but I would not be so sure.
- SIM main problem in your situation IMHO is KYC, basically that you can’t buy one without an ID and thus if you have expectation of anonymity regarding the provider of the SIM then it is not viable indeed.
- eSIM AFAICT do not enforce KYC (no scan of ID to send) and typically offer to purchase a SIM outside of the country one is visiting, unlike physical SIMs. Sure they might share ICCID and more but unless that piece of data is linked with your actual name then it might not be a problem
- honestly if you worry about “weird hacking attempts towards me from the government” then you better know a lot more about cybersecurity than I and random people on the Internet do. It’s one thing to worry about mass surveillance, with or without BigTech, but if a state agent is paying actual security professional to hack your devices or accounts then it’s another ball game entirely.
Depending on where you are travelling to and from, you can often get an anonymous prepaid SIM card. That is what I do: buy one with cash, put it into a MiFi router, and only switch it on when I need internet. That way I stay off the records of whoever else is with me and I am not relying on their identity as a shield. I have not found an eSIM provider that gives me the same level of anonymity, so I have avoided those.
If you really have to register a SIM with your identity, it depends on the situation. For example, if you buy a SIM in the EU, activate roaming, and then use it in Mexico, the Mexican authorities can’t instantly demand your subscriber info from the EU. On the other hand, if you or your family buy local SIMs while showing ID, then travel together and check in to hotels together, it makes little difference whose SIM is whose. For Mexico specifically, you can walk into an OXXO store, pay cash, and get a prepaid SIM with a data package, no ID required. Many countries have similar cash options so you check ahead of time.
About whether the worry is justified. The type of surveillance you mention, such as stingrays, requires both strong capability and strong motivation. If a government wanted to, they could stop your entire family at the border before you ever left. But from what you describe, you are just a foreigner who might pass by a protest. That is unlikely to trigger the level of targeting you are thinking of.
Still, I would not call it “in vain.” Building habits that protect privacy and understanding how information flows is always useful. But if you can get a prepaid SIM anonymously with cash, it is usually a cleaner option than tethering from family.
get an anonymous prepaid SIM card. That is what I do: buy one with cash
Don’t they normally ask for ID? I know in France for example it’s typically not possible to buy a SIM without presenting an ID first. That wasn’t the case few years ago but not it’s common practice, if not mandatory.
Same in Germany, but thanks to roaming between EU states not incurring extra charges and Netherlands not asking for ID at the time, one could just cross the border to pay in cash, or order a Dutch LycaMobile SIM pseudonymously.
I am not sure about France. When I search online, I often find resources stating “Yes, ID is required”, even for the countries where I know that I have bought SIM cards with cash. Well, the SIM is usually free and what I pay for is the top-up code.
I would imagine (but I’m not sure) that if you try to buy a SIM card at an airport or at an official store from a large telephony provider you are more likely to get asked for an ID. I find them in shops that have signs with the names of smaller MVNOs. Something like what is shown in this image that I found online, where you can see signs of ‘Lyca Mobile’ and ‘Lebara’:
But, your mileage may vary. Probably some locations are more strict than others.
Thanks for the clarification, found https://privacyinternational.org/long-read/3018/timeline-sim-card-registration-laws on the topic also useful.
That’s a very interesting resource!
Actually, the countries where I have been able to purchase anonymous SIM cards are in the list “As of 2021, the following countries do not have mandatory SIM card registration laws”. So, it appears like I just happen to have been lucky and I should not make this as such a general recommendation…
Funny, about Mexico it says:
Countries expected to implement mandatory SIM registration in 2022: Philippines, Mexico.
I can at least confirm that I was not asked for ID when buying SIM cards last year in Mexico.
I just looked it up and found the proposed law for Mexico on Wikipedia. It was struck down in 2022 as unconstitutional.
So, then, I really have no anecdotes to say that it is easy in places where it is formally illegal.
By having a physical SIM or an E-SIM, your ICCID and other data is transmitted directly to the tower, so using your family’s hotspot was the better option in that case.
That’s awesome. If I have the choice to be careful, why not take that option? Thank you! <3
Anything connected to the cellular network should be considered compromised, it doesn’t matter if you’re using a SIM from your own country or a local one if it goes through towers of the country you’re visiting.
If you’re so concerned, turn on airplane mode before leaving the network you trust and take a separate device for sharing internet over Wi-Fi or Bluetooth.
connected to the cellular network should be considered compromised
What do you mean by compromised? Monitorable? Traffic shaped? Both? How about E2E?
The cellular modems are vulnerable to attacks from towers, so if you’re worried about things like stingrays, you should also worry about malware installed from cell towers.
