Understanding what data your eSIM and carrier can access, how the secure element protects your credentials, what carrier privacy policies mean in practice, and how to protect your privacy as an eSIM user in Hong Kong.
An eSIM gives your carrier the same visibility into your mobile usage as a physical SIM — no more and no less. Your carrier can see metadata about your mobile usage: which cell towers your device connects to (revealing your approximate location throughout the day), when calls are made and received (call detail records including duration and called numbers), data usage volumes and timing, and SMS metadata (sent/received times and numbers, though not SMS content for most carriers). This metadata collection is the same whether you use eSIM or physical SIM — the SIM type does not change the fundamental carrier-subscriber relationship or the data that the carrier collects for billing, network management, and regulatory compliance purposes.
Your carrier cannot see the content of encrypted communications over your mobile data connection — if you are using WhatsApp, Signal, iMessage, or any other end-to-end encrypted messaging app, the carrier sees only that data was transmitted between your device and the internet, not the content of those messages. Similarly, HTTPS web traffic is encrypted at the transport layer, meaning the carrier cannot read the content of web pages you visit, though they can observe which IP addresses your device connects to (which reveals the services you use). For users who want to prevent even IP-level metadata visibility to their carrier, a VPN routes all traffic through the VPN server, concealing your browsing destinations from the carrier at the cost of visibility to the VPN provider instead.
eSIM introduces one additional data point that physical SIM does not: the eSIM provisioning event log. When you download or update an eSIM profile, the carrier's SM-DP+ server records the device EID, the time of the provisioning event, and the IP address from which the download was initiated. This provisioning metadata is stored by carriers for operational Hong Kong: Avoid Card Skimming and Fraud">and fraud prevention purposes. Under Hong Kong's Personal Data (Privacy) Ordinance (PDPO), carriers must handle this data in accordance with PDPO data protection principles and make their data retention and use policies available to subscribers. The PDPO gives HK residents the right to request access to personal data held by carriers and to request correction of inaccurate data.
The security of your eSIM credentials depends on the hardware secure element in which they are stored. The secure element — also called eUICC (embedded Universal Integrated Circuit Card) — is a dedicated microcontroller chip that is physically separate from the device's main application processor and is designed to be tamper-resistant. On iPhone, the eSIM secure element is integrated into the same Secure Enclave architecture that protects Face ID biometric data and Apple Pay payment credentials — Apple designs this hardware component specifically for high-value credential protection. On Samsung Galaxy devices, the eSIM secure element is part of Samsung's security architecture certified under Common Criteria EAL (Evaluation Assurance Level) standards.
The secure element operates an isolated execution environment — code running in the main operating system (iOS, Android, and all apps including malicious ones) cannot access the secure element's memory space directly. Even if your device is compromised by malware, the malware cannot extract eSIM authentication keys from the secure element because those keys are never exposed to the main OS's address space — all cryptographic operations happen inside the secure element and only the result (an authentication response) is returned to the OS. This architectural isolation is why eSIM cloning attacks require physical hardware attacks on the chip rather than software-based extraction, making eSIM credentials significantly more resistant to mobile malware than other types of sensitive data stored in device memory.
The GSMA RSP specification requires that all eSIM profile provisioning operations be authorised using certificates in the GSMA PKI (Public Key Infrastructure). This means that a profile can only be downloaded to your eSIM from a carrier SM-DP+ server that holds a valid certificate signed by the GSMA root CA. Malicious actors cannot push unauthorised eSIM profiles to your device without obtaining a GSMA-signed certificate — a requirement that restricts this capability to legitimate carriers and MVNO operators who have completed the GSMA certification process. Combined with the device's requirement that eSIM downloads be explicitly authorised by the user through the device interface, the end-to-end eSIM provisioning security architecture provides strong protection against unauthorised profile installation.
International travel eSIM providers — Airalo, Holafly, Saily, Roamless — operate differently from local HK carriers in terms of data collection and privacy jurisdiction. When you purchase a travel eSIM from Airalo (incorporated in Singapore), the purchase transaction creates an account relationship with Airalo that includes your email address, device EID, payment information, and usage records. Airalo's privacy policy is governed by Singapore's Personal Data Protection Act (PDPA) and GDPR for European users, providing a structured data protection framework. Most reputable international travel eSIM providers do not sell personal data to third parties and use collected data primarily for service delivery, customer support, and fraud prevention.
The network partner in each destination country also collects usage metadata — your device connects to the local carrier's network (NTT Docomo in Japan, Orange in France, T-Mobile in the US) and that carrier's systems record the Difference and the Connection">the connection events. The data collected by the destination network partner is governed by that country's data protection laws — Japan's Act on the Protection of Personal Information (APPI), the EU's GDPR, or US privacy regulations respectively. For most travel use cases, this metadata is functionally equivalent to what a domestic carrier collects and is not a meaningful privacy concern. However, users with heightened privacy needs (journalists, researchers, activists) should consider whether destination country data protection standards meet their requirements when choosing travel eSIM providers.
The EID (eUICC Identifier) of your device is a unique persistent identifier that is transmitted during eSIM provisioning events and network connections. Unlike the IMEI, which is associated with the physical device, the EID is associated with the eSIM hardware specifically. From a privacy perspective, the EID represents a semi-persistent tracking identifier — each eSIM provider and carrier you connect to can associate your EID with your account. For most users, this is a non-issue, as the EID is no more privacy-sensitive than other device identifiers that mobile networks necessarily use for billing and connectivity. Users concerned about EID-based tracking across multiple eSIM providers should be aware that the EID is functionally immutable — it cannot be changed or anonymised as phone numbers can be changed.
Securing your eSIM begins with securing your carrier account. Your eSIM profile is associated with your carrier account, and anyone who can access your carrier account can potentially initiate an eSIM transfer — downloading your number to a device they control (a SIM swap attack). Protect your carrier account with a unique, strong password not reused elsewhere, and enable 2FA on the account using an authenticator app rather than SMS. Add a carrier account PIN or verbal password that must be provided before any SIM-related changes are processed — all four major HK carriers (3HK, CMHK, SmarTone, csl) support this account security feature. Treat your carrier account with the same security rigour as your banking login.
For the eSIM credential data stored on your device, the most important protection is your device lock screen PIN, password, or biometric. The secure element that stores eSIM credentials is protected by device-level security — a device with no screen lock, or with a weak 4-digit PIN, is a meaningful security vulnerability. Use Face ID (iPhone) or fingerprint authentication (Android) as the primary unlock method backed by a strong alphanumeric passcode (6+ characters, not a simple pattern). Enable device encryption — this is the default on modern iOS and Android devices but verify in Settings > Security on Android. Enable remote wipe capability through Find My (iPhone) or Find My Device (Android/Samsung) so that if your device is stolen, you can remotely erase both your data and your eSIM credentials before they can be accessed.
For travel eSIM privacy specifically, purchase travel eSIMs from reputable providers with transparent privacy policies rather than from obscure providers offering unusually cheap pricing. Budget travel eSIM providers with opaque ownership and minimal privacy disclosures are more likely to monetise user data as a secondary revenue stream. Stick to established providers — Airalo, Holafly, Saily, Roamless — whose privacy practices are public, verifiable, and subject to established regulatory frameworks. After completing a trip, delete travel eSIM profiles you no longer need from your device rather than accumulating unused profiles — fewer stored profiles means fewer potential data points and cleaner device management, though stored inactive profiles represent no active security risk.
