Why I dont use a SIM card and neither should you

Introduction

So I have a friend. And we talk maybe about once a month and meet once every five years. So you know it’s a serious relationship. And this other time I just casually told him I don’t actually use a SIM card. And I mean no SIM at all. No physical card, no eSIM. And I was pretty shocked to see how flabbergasted he was by this. He immediately asked me – how do you make phone calls? I simply said – I don’t. How do you get data? I said – I don’t. The shock was palpable. And it was mutual. Because in that moment I realized, that my methods of going about my digital life are very unconventional. This is not what regular people do. But because of my many years of privacy research and investigations, to me, it was completely normal. I understand the privacy implications of using a SIM. But to the uninitiated, not using a SIM for data and texts is out of this world.

This is the phone I use. I installed GrapheneOS on it and now it’s essentially an anonymous device. I never inserted a SIM card into this phone, I always leave the airplane mode on and I route my whole device traffic through a trusted VPN service. I bet you cold barely find one person doing any single one of those things, not to mention all of them. So in this video, I want to share with you a bit of my privacy setup and explain to you why I do not use a SIM card and how I navigate my life with almost zero amount cellular traffic. So let’s start with the first thing, exposition time.

Exposition time

This triangle is a basic cell tower. This tower broadcasts into all directions at all times, usually at a radius of up to 20 miles. If your phone is in vicinity, the tower will pick it up and register an approximate distance of your phone to the tower. So in this example, you might be roughly 10 miles anywhere on this circle from the cell tower. Which is a pretty wide area. However, most towers have three directional antennas. Each side splitting the array by 120 degrees. And an antenna can tell which array your signal is being received from so that narrows your approximate location down by two thirds already.

But in almost all cases, your phone will be connected to more than one tower. If you are in city, you’ll always be pinging at least three or five cellphone towers at any point. With each new tower, you add a new intersection of signal radius, each one narrowing down your location more and more. This is called cell tower triangulation and when this happens, the accuracy of location tracking can go from several miles, all the way down to several meters. [13]

Each location data point is collected and retained by telecommunication providers for probably indefinitely. If you profile this over a long enough timeline, this is what it may look like in a regular person’s life. [0]

Telecommunication companies put your location records and build up a detailed profile of your personal life – including where you travel, commute, work, live, study, who you meet with, when and for how long, along with all the texts and phone calls you make along the way. [1]

This location tracking is impossible to opt out of. It happens automatically in the background. It doesn’t need GPS and works even when you disable location services on your phone.

All of this location tracking is old stuff by now. 5G is now going to make cellular tracking precise down to a centimeter both indoors and outdoors. Meaning 5G operators will know not just what building you are in, but also what floor and room. [2, 3]

5G network requires far denser hardware deployment and all new devices – not just phones and tablets, but cars, wearables, Internet of Things devices… are being equipped with 5G. [4, 5]

And yes, there are some security enhancements from the previous generation, but they all depend on proper implementation of telecom companies who love nothing more than to cut corners to save costs. [6, 7, 16]

So 5G is going to make location tracking even more creepy and big telecom will have no incentives to properly implement privacy protections. Future is in the good hands! [14, 15]

The Problem

So what, you may ask? What’s the big deal if they collect your location when you have nothing to hide? That’s a good question, you filthy Nazi. The answer is simple: you can’t trust who gets a hold on this data and how they interpret it. Even if that someone is your friendly neighborhood local police department. Because police can and do request this information from cell companies without a warrant and ruin your life in the process of botched criminal investigations. [8]

Suppose you are sitting in your living room and you’re on a call with your buddy when someone commits a murder a mile away. Completely oblivious to you, your phone is a pinging a nearby cell tower and when the police come and collect the phone records, you will be among the prime suspects. This is not a made-up hypothetical. This is what happens routinely on daily basis. Because cops are given this technical information without understanding it, because they are not technical people. And prosecutors are presenting these phone records as if they were DNA evidence. [9]

You now have to spend thousands on an experienced attorney to get you out of this situation, in which the police might flash your head shot to local news, ruining your reputation in the process. Again, this is something that actually happened. [10]

This practice has a name and it’s called geofence warrants. [17] It’s dragnet surveillance where law enforcement collect phone records of all devices that were making connections in a given location for a given time. It’s a crazy practice. But it’s real. [8]

And the problems with cell networks don’t just end there. Telecom companies have all the monetary reasons to sell your location to third parties to make more profit. And they’ve been caught doing that without your consent and without reasonable protections of your information, allowing your real-time location to fall into the hands of bail-bond companies, bounty hunters and other shady actors.” [11, 12]

This is why I don’t trust anyone with my location information. This is why I am not comfortable with perpetually broadcasting my entire life to companies who don’t have my safety in their interest. I don’t trust the police with it, the marketing companies, the data brokers, the scammers and fraudsters who obtain that info legally or otherwise… Where I am, where I’ve been and where I will be is my own business and I don’t trust anyone to hold a permanent record of my location. So I don’t use a SIM card in my phone.

Not the whole picture

Being a privacy researcher, it makes perfect sense for me to do this. But it’s only a fragment of a broader privacy strategy. The ways I protect my location actually go way beyond just not using a SIM. If you are interested in protecting your location to the same extent, this is what else I do. But before I tell you about it, share this video with people you care about because the more people learn this, the more secure we all get.

First things first, pulling out a SIM card from your device is not enough to completely hide your phone. You also need to enable airplane mode to prevent your phone from making it detectable at all. Modern phones will still beam their signals even if they have no SIM and they will broadcast your unique device identifiers which can also be used to track you. So I kill it with an airplane mode. And don’t worry, you can still use WiFi and Bluetooth in airplane mode.

The second thing I do, is that I disable location services and revoke all location permissions on all of my devices. There is no reason for any app to have any background or precise access to my location. The only exception is my map, but it’s not Google Maps or Apple Maps nor any of the proprietary privacy invasive maps. I use Organic Maps and OSMAND. These are free and open source offline navigation apps. I use them to download local maps to us offline only and give them location permission just for when I am actually using them. The moment I leave them, they lose access to my location. So remember to be vigilant about who you grant what permissions and for how long.

And third, I disable WiFi scanning and Bluetooth scanning. Theys were built for convenience of looking up devices to connect with but they are also a major privacy risk for your location. Using WiFi for internet access is safe, however I also enable full MAC address randomization. Full randomization is only available on GrapheneOS but Android and iPhone also have some MAC randomization so be sure to enable it. For me, whenever I reconnect to any WiFi, the network is always gonna think it’s an entirely new device each time. Thus keeping my phone anonymous to any network. When using the Internet, you need to prevent websites and apps from seeing your IP address because that can reveal your location and be used to track you. I use Tor and a VPN. Mullvad and ProtonVPN are both very good services, no I am not sponsored by any of them. I wouldn’t settle for any other VPN service. Make sure to always route your full device traffic through that VPN.

What about the SIM

Okay, but what about the time when someone needs to call or text me? What then? Well, nothing. For friends and family, I use end-to-end encrypted messaging apps – for me that’s mostly Signa and Matrix. But even the freaking Facebook Messenger is encrypted now. There is no excuse to use unencrypted communication today and cell communication should get deprecated.

For the rare instance when I need a phone number, usually for ancient services like a bank or the government, I do have a dumb phone that’s off all the time and is only on when I need to make a call or when I am expecting a text or a call. I also have a Faraday bag for when I am feeling extra cautious.

For data, well.. I don’t use data. I use public WiFi when possible and when not, I download some offline entertainment when needed for longer routes. Usually getting a WiFi is not a problem as they are ubiquitous in every city – be it a coffee shop or a shopping mall.

Conclusion

So this is why I don’t use a SIM and how I go about my life without it. The more people know about this the more secure we all get so share this video with those you care about in your life. And become a member of my Patreon page to support me making more videos like this and get access to hundreds of amazing podcast episodes I’ve been making for many years now. I get into so much more detail in these episodes about everything I do on this channel and stuff that couldn’t make it into my videos. And there is also some merch if you are feeling like it. Thank you kindly!

SOURCES

[0] https://www.zeit.de/datenschutz/malte-spitz-vorratsdaten

[1] https://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz

[2] https://www.qualcomm.com/videos/5g-multi-cell-positioning-ota-demonstration

[3] https://www.ericsson.com/en/blog/2018/11/lte-positioning-and-rtk-precision-down-to-the-centimeter

[4] https://www.cisa.gov/sites/default/files/publications/19_0731_cisa_5th-generation-mobile-networks-overview_0.pdf

[5] https://www.nokia.com/thought-leadership/articles/privacy-challenges-security-solutions-5g-networks/

[6] https://www.wired.com/story/5g-security-stingray-surveillance/

[7] https://www.wired.com/story/5g-more-secure-4g-except-when-not/

[8] https://harvardlawreview.org/print/vol-134/geofence-warrants-and-the-fourth-amendment/

[9] https://www.newyorker.com/news/news-desk/what-your-cell-phone-cant-tell-the-police

[10] https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html

[11] https://docs.fcc.gov/public/attachments/DOC-402213A1.pdf

[12] https://www.engadget.com/fcc-fines-americas-largest-wireless-carriers-200-million-for-selling-customer-location-data-121246900.html

[13] https://transition.fcc.gov/pshs/911/Apps%20Wrkshp%202015/911_Help_SMS_WhitePaper0515.pdf

[14] https://threatpost.com/torpedo-privacy-4g-5g/142174/

[15] https://www.wired.com/story/torpedo-4g-5g-network-attack-stingray/

[16] https://www.ndss-symposium.org/ndss-paper/privacy-attacks-to-the-4g-and-5g-cellular-paging-protocols-using-side-channel-information/

[17] https://www.theguardian.com/us-news/2021/sep/16/geofence-warrants-reverse-search-warrants-police-google