A traditional SIM (more formally a UICC) is a tiny smart card with a hardware secure element containing your IMSI, your authentication keys (Ki), and a Java Card runtime. You can pull it out of one phone, drop it into another, and the carrier sees the same subscriber. The physical chip is the identity.
eSIM — embedded SIM, more formally eUICC — moves the secure element onto the phone's main board. Identity is now a software profile that's downloaded into the chip via Remote SIM Provisioning. The chip can hold multiple profiles at once. You activate one by scanning a QR code or running a carrier-provided app. The privacy implications start there.
The Cryptography Is Fine
First, credit where credit is due. The GSMA SGP.21 / SGP.22 specifications for consumer eSIM use a layered PKI:
- The eUICC has a manufacturer-issued certificate (EUM).
- An SM-DP+ server (Subscription Manager - Data Preparation) authenticates the device cryptographically before pushing a profile.
- Profiles are signed and end-to-end encrypted to the eUICC's public key.
- Mutual authentication uses ECDSA over the GSMA root.
The bit-protocol cryptography is audited and standardized. A man-in-the-middle on the provisioning channel can't extract your authentication keys. The keys never leave the secure element. This is genuinely better than QR-code-distributed config files that some older WiFi-calling setups relied on.
What Actually Changes for Privacy
You can no longer "leave the SIM at home"
A traditional opsec move for crossing borders, attending protests, or visiting hostile environments was simple: pull the SIM out, leave it home, carry a phone with no identifiable subscription. With eSIM, the profile lives on the phone. You can disable it, but disabling is software state — and you can't physically remove a chip that's soldered to the board.
The practical workaround: maintain a separate phone (no eSIM, or with all profiles deleted) for sensitive use. Some GrapheneOS-friendly devices retain physical SIM slots specifically for this use case. Pixel 6+ supports both physical SIM and eSIM simultaneously.
Carrier change is more traceable
Switching physical SIMs leaves the old SIM in a drawer somewhere. Switching eSIM profiles deletes the previous profile from the eUICC entirely. The eUICC tracks every profile ever loaded and reports certain telemetry back to its EUM and SM-DP+ servers — including download events, enable/disable events, and deletion events.
This is mostly innocuous infrastructure. But it creates a centralized record of "this physical device EID has been used with carriers A, B, C, and D" that didn't exist with physical SIMs.
Profile transfer is a new attack surface
Apple's "Transfer eSIM" between iPhones, and equivalent flows on Pixel and Samsung, use Bluetooth to migrate a profile to a new device. The cryptography is sound, but the social engineering attack — convince a victim to confirm a transfer — is qualitatively new. SIM swap fraud already targets carrier service reps; eSIM swap fraud targets the victim directly.
Every eUICC has a 32-digit EID burned in at manufacture, analogous to an IMEI. It's not your phone number, but it identifies the secure element across all profiles you ever load. Treat it as a permanent device identifier — because that's what it is.
eSIM vs Physical SIM at a Glance
| Property | Physical SIM | eSIM |
|---|---|---|
| Physical removal | Yes | No |
| Multiple profiles at once | Generally one | Multiple, switchable |
| Provisioning channel | In-person mostly | Remote, internet-based |
| SIM swap fraud target | Carrier service rep | Victim directly (transfer flow) |
| Permanent device-bound identifier | ICCID per card | EID for the eUICC's lifetime |
| Travel ease (foreign carriers) | Buy local SIM at airport | Scan QR code, instant activation |
| Anonymous prepaid availability | Common where laws allow | Rare; most eSIM providers require KYC |
The Anonymous Prepaid Problem
In many jurisdictions you can still walk into a corner shop, buy a prepaid physical SIM with cash, and activate it without showing ID. The legal landscape is shifting toward mandatory registration even for prepaid — but for now, a handful of countries still allow it.
For eSIM, this is largely impossible. eSIM activation requires a working internet connection to download the profile, which means an existing connection on the device (usually WiFi tied to an existing identity). Most eSIM providers — including the travel-focused ones like Airalo, Holafly, Nomad — require email-based account creation and a payment method. The path from "anonymous cash SIM" to "eSIM" has more identity surface, not less.
If anonymous mobile data matters to your threat model, eSIM is a step backwards. The mitigation is keeping a physical-SIM-capable device for that specific use, paired with a service that still accepts cash purchase.
What eSIM Doesn't Change
Things that were true with physical SIMs and remain true with eSIM:
- Your IMEI is still your IMEI. The carrier still sees the device identifier independent of which profile is active.
- Your IMSI is still trackable. IMSI catchers work against eSIM the same way they work against physical SIM — the radio protocol is unchanged.
- Location data is still collected. Cell tower registrations, handovers, signal strength reports — all flow to the carrier exactly as before.
- Lawful intercept and metadata retention apply equally. The wire-protocol metadata that ends up in data-retention databases is the same.
Practical Hygiene if You Use eSIM
Realistic privacy posture for an eSIM device:
- Disable profiles you're not actively using. Don't leave dormant carriers enabled.
- Delete profiles when you stop using a carrier permanently. Disabled is not the same as gone.
- Treat your EID like your IMEI — don't post it, don't paste it into support tickets you don't trust.
- Use a secondary device for sensitive work. Keep the eSIM-laden daily driver out of the threat model entirely for high-stakes situations.
- Watch your eSIM transfer flow. Don't confirm transfers initiated from another device unless you actually initiated them. Disable transfer prompts if your platform allows.
eSIM is a convenience win and a metadata-surface loss. The trade-off is the same shape as most modern mobile changes: the cryptography genuinely improved, and the inventory of soft identifiers tied to your device grew at the same time.
Communication that doesn't depend on your phone number — encrypted messaging that uses cryptographic identity rather than carrier identity — sidesteps the entire eSIM debate. That's part of why Haven and similar tools exist: not because SIM technology is broken, but because tying your messages to your subscriber identity is unnecessary in 2026.