By Shelley Shan
/ Staff Reporter
People using electronic SIM (eSIM) cards while traveling abroad risk having their personal data monitored by China, a Taiwanese technology specialist wrote on social media on Sunday. The use of eSIMs has become increasingly popular among international travelers, as they can access the Internet immediately upon arrival by simply scanning a QR code, without needing to replace physical SIM cards. Data plans offered in certain countries can be up to five times cheaper than the international roaming services offered by Taiwanese telecom operators. However, cacaFly CEO Nathan Chiu (邱繼弘) wrote on social media that most people underestimate cybersecurity risks when using eSIMs. Chiu cited a study undertaken by Northeastern University researchers in the US during the USENIX Security Symposium in August last year titled “eSIMplicity or eSIMplication?” in which the research team purchased 25 different eSIM cards widely used by international travelers and tested where the network packets were transmitted in their data services.
People line up at Taiwan Taoyuan International Airport in an undated photograph.
Photo: Taipei Times
Almost all of the eSIM cards in the study showed IP addresses that were not in the same locations as the users, he said. People using Holafly, an Ireland-based eSIM card operator, would see an IP address on their mobile phones belonging to Hong Kong-based China Mobile International Ltd, he said. The study found that after an eSIM profile was installed, it might automatically use the SIM application toolkit to secretly establish connections to servers in Singapore and receive text messages from Hong Kong numbers, all without the user’s knowledge, Chiu said.
Packets containing metadata, such as international mobile subscriber identity, international mobile equipment identity, location trajectory, traffic behavior and domain name system queries, were routed through the core network of China Mobile before reaching their final destinations, he said. Although China Mobile International is registered in Hong Kong, it is obligated to follow China’s Cybersecurity Law and National Intelligence Law, which require all Chinese telecoms to cooperate with national intelligence agencies, Chiu said. One possible concern for consumers is that they could be denied access to ChatGPT, Claude or Gemini if they try to enter them through IP addresses based in China, Hong Kong and Macao, Chiu said. “You could be in Japan, Thailand or Europe, but OpenAI, Anthropic and Google would still see you as Hong Kong users because the packets are routed through there,” he said. All eSIM card operators based in China, Hong Kong and Macao are aware of this problem, as they inform users that they need to manually change the access point name to eSIM Next and switch the IP address to Singapore if they want to access ChatGPT or other US-based AI apps using their eSIM cards, Chiu said. Customers might assume they cannot access ChatGPT because the app’s servers or the Wi-Fi in the hotel were down or their mobile phones malfunctioned, he said.“Rather than banning the use of China-based eSIM cards, the question we should be asking is why Taiwanese were reluctant to buy eSIM cards sold by Chunghwa Telecom, Taiwan Mobile and Far Eastone Telecommunications, given that they have signed agreements on Internet protocol and roaming exchanges with nearly all telecom operators around the world,” Chiu said. Chiu said the situation was caused by the National Communications Commission’s regulatory framework for eSIM cards, which is identical to that for physical SIM cards to prevent telecom fraud. People who want to buy eSIM cards from Taiwanese telecoms must do so in person and pay a NT$300 fee. They are also prohibited from switching the cards to other users online and must file a new application when using a new mobile phone, Chiu said. All international roaming services must also be bundled with mobile phone numbers, he added. To avoid the hassle, most consumers simply choose eSIM cards sold in other countries offering cheap data-only services not tied to a phone number, he said. The NCC responded that all three major telecom operators already offer prepaid data-only services for overseas travel and that activation fees might be waived under certain conditions. However, under the Fraud Crime Hazard Prevention Act (詐欺犯罪危害防制條例), users must still complete Know Your Customer procedures before the services can be provided. It said it would consult law enforcement authorities and the three major telecom operators to examine the legality and feasibility of simplifying procedures.