Source.

eSIM (Embedded Subscriber Identity Module) technology is rapidly reshaping mobile connectivity by enabling users to activate cellular services without a physical SIM card. While the flexibility of remote provisioning improves convenience and scalability, particularly for international travelers, it also introduces complex and underexplored privacy and security risks. This paper presents an empirical investigation of how eSIM adoption affects user privacy, focusing on routing transparency, reseller access, and profile control. We first show how travel eSIMs often route user data through third-party networks, including Chinese infrastructure, regardless of user location. This raises concerns about jurisdictional exposure. Second, we analyze the implications of opaque provisioning workflows, documenting how resellers can access sensitive user data, proactively communicate with devices, and assign public IPs without user awareness. Third, we validate operational risks such as deletion failures and profile lock-in using a private LTE testbed. In addition to these empirical contributions, we reflect on the evolving threat landscape of eSIM technology and analyze the shifting trust boundaries introduced by its global provisioning architecture. We conclude with actionable recommendations for improving eSIM transparency, user control, and regulatory enforcement as the technology becomes widespread across smartphones, IoT deployments, and private networks.