Travel eSIMs have become one of the easiest upgrades in modern travel. You land, scan a QR code, activate a data plan and avoid the old airport ritual of queuing for a plastic SIM card. For most travelers, that is the whole story: cheaper data, faster setup, less roaming pain.

But a recent warning from Taiwan has put a less comfortable question back on the table: when you buy a cheap international eSIM, do you actually know where your mobile data is going?

The issue was raised by cacaFly CEO Nathan Chiu, who wrote on social media that travelers may underestimate the cybersecurity and privacy risks attached to some foreign eSIM services. His comments, reported by Taipei Times, referenced a Northeastern University paper presented at USENIX Security 2025, titled eSIMplicity or eSIMplification? Privacy and Security Risks in the eSIM Ecosystem.

The study examined travel eSIMs and found that user traffic is often routed through third-party networks, sometimes including Chinese infrastructure, regardless of where the traveler is physically located.

The Routing Problem

This is where the story becomes more interesting than the usual “is eSIM safe?” debate.

The problem is not eSIM technology itself. eSIM is simply a digital SIM profile. The bigger issue is the commercial stack behind it: providers, resellers, roaming partners, core networks, IP routing and profile management.

According to the USENIX paper, travel eSIMs can route data through foreign jurisdictions and users may not be clearly told who controls the profile, where the IP address is assigned, or which network path their traffic follows. The researchers also highlighted risks around reseller access, silent SIM toolkit behavior, public IP assignment and eSIM profile management.

READ MORE: Ubigi’s SmartIP Is the Quiet Feature That the eSIM Industry Has Been Ignoring

Chiu gave one example involving Holafly, saying that users could see an IP address linked to Hong Kong-based China Mobile International. He also said that some packets containing metadata, such as IMSI, IMEI, location trajectory, traffic behavior and DNS queries, could pass through China Mobile’s core network before reaching their final destination.

That does not automatically mean someone is reading your WhatsApp messages or watching every website session in plain text. Much modern traffic is encrypted. But metadata still matters. In telecom, metadata is not a small thing. It can reveal where a device connects, what services it queries, when it moves and how it behaves.

Why China Is Mentioned

The China angle matters because telecom routing is also a jurisdiction question.

China Mobile International is registered in Hong Kong, but Chiu argued that companies connected to Chinese telecom infrastructure may fall under legal obligations shaped by China’s Cybersecurity Law and National Intelligence Law. Article 7 of China’s National Intelligence Law says organizations and citizens should support, assist and cooperate with national intelligence work in accordance with the law.

READ MORE: eSIM Claims vs Reality: What You Should Check First

This is where the debate becomes sensitive. There is a difference between theoretical legal exposure and proven surveillance of individual travelers. The responsible reading is not “all China-linked eSIMs are spying on you.” That would be too simplistic. The more useful point is this: routing transparency is now a security feature, not a technical footnote.

If a traveler is in Japan, Thailand or Europe but their traffic exits through Hong Kong, Singapore or mainland-linked infrastructure, that affects privacy, app access, compliance and trust. It may also explain why some users suddenly cannot access services such as ChatGPT, Claude or Gemini. As Chiu put it: “

You could be in Japan, Thailand or Europe, but OpenAI, Anthropic and Google would still see you as Hong Kong users because the packets are routed through there.”

The Consumer Confusion

This is exactly where most travelers get lost.

They do not think in terms of IMSI, IP routing or mobile core networks. They think: “I bought a Japan eSIM, so my data is in Japan.” Often, that is not how travel eSIM economics works.

Many low-cost global eSIM products are built on roaming-style architectures. The provider may sell a local-looking product, but the data session may be anchored somewhere else. That can be perfectly legal and technically normal, but it should be clearer.

The USENIX researchers make a broader point: eSIM convenience has shifted trust boundaries. With physical SIMs, users usually buy directly from a local mobile operator. With travel eSIMs, users may buy from a brand that relies on wholesalers, resellers, remote profile platforms and roaming hubs. Each extra layer can reduce visibility.

And this is not only about China. The same transparency issue can apply to any provider using opaque routing through foreign cores, whether the exit point is in Hong Kong, Singapore, Europe or the US.

Taiwan’s Own Problem

There is another uncomfortable part of this story: users do not choose foreign eSIMs only because they are careless. They choose them because local alternatives are often too slow, too expensive or too bureaucratic.

Chiu asked why Taiwanese travelers avoid buying travel eSIMs from local operators such as Chunghwa Telecom, Taiwan Mobile and Far Eastone, even though those companies have established international roaming relationships. His answer was regulation.

READ MORE: What happens between ‘Buy eSIM’ and ‘Connected’ (step-by-step breakdown)

In Taiwan, anti-fraud rules mean users must complete Know Your Customer procedures before telecom services can be provided. Chiu said people wanting eSIMs from Taiwanese telecoms often face in-person steps, fees and restrictions that make the process feel outdated compared with instant, data-only foreign eSIMs. Taiwan’s National Communications Commission said the major operators already offer prepaid data-only overseas travel services and that some activation fees can be waived, but it also said KYC obligations remain under fraud prevention rules.

That is the market gap in one sentence: consumers want instant connectivity, while regulated operators still behave like every SIM is a fraud risk waiting to happen.

What Should Travelers Check?

The practical answer is not to panic. It is better to ask questions before buying.

A serious eSIM provider should be clearer about network partners, IP exit locations, hotspot rules, throttling, data routing, customer support and whether the service is data-only or linked to a phone number. For sensitive users such as journalists, executives, public officials or enterprise travelers, this matters even more.

For everyday travelers, the risk is usually less dramatic, but still real. If your banking app, AI tool, streaming service or work platform reacts strangely while abroad, the issue may not be the destination. It may be your eSIM’s routing path.

Conclusion about travel eSIM privacy risks

This story should not be used to scare people away from eSIMs. That would miss the point. eSIM is still one of the best things that happened to travel connectivity: faster activation, less roaming shock, no plastic waste and far better convenience.

But the market is maturing, and the old sales pitch of “cheap data in 200 countries” is no longer enough.

The next serious battleground is trust. Providers such as Airalo, Holafly, Nomad eSIM, Ubigi, Yesim, GigSky and operator-backed travel eSIM services will increasingly be judged not only on price and coverage, but on transparency: who carries the traffic, where it exits, what metadata is exposed and how much control the user actually has.

Cheap data got travelers into the eSIM market. Clear infrastructure will decide who they trust next.