Or: I Bought a VPN, Stopped the Government from GPS Tracking my Phone, and Still Cut $8/Month off my Phone Bill
Phone Plans in Canada are Expensive
Ok, so, here in Canada where I live, cellular plans are expensive.
To demonstrate: in the USA, with unlimited texting and calling, you can get 5GB of data for $14 USD ($18.81 CAD), or 1GB for $9 USD ($12.09 CAD)1, all at 5G speeds.
In Canada, the closest I can get is $24 CAD ($17.87 USD) for 4GB (and only as a special offer, meaning there’ll be some restrictions), or 1GB for $19 CAD ($14.14 USD), both at 4G speeds. If I want 5G, the cheaptest plan I can get is $35 CAD ($26.05 USD) for 15GB.
Data-only plans, which are even cheaper, are simply not available in Canada.
This sounds depressing, right? Well, it is, but there’s hope: everything I’ve just said only applies to SIM-based phone plans.
eSIM
While normal Canadian phone plans are expensive and have a lack of options, there is an alternative: eSIM. eSIM is a type of SIM card that’s embedded as a part of the device, and can be reprogrammed with different SIM information on-the-fly. This means that the restrictions on who can provide service with eSIM are significantly lower, and that increased market means cheaper plans.
To compare to the prices in the previous section, I can get a 5GB plan for $14.25 CAD ($10.61 USD), or 1GB for $3.77 CAD ($2.81 USD).
There are two catches, though:
- Only some phones have eSIMs, and you can’t use an eSIM plan on a phone without one
- Most Canadian eSIM plans are data-only, so no texting or calling
But, that aside, if your phone has an eSIM, and you only need data, you can find much cheaper plans, with much more granular options, than any SIM plan.
If you want to look for cheap eSIM plans, the site I used was esimdb.
VOIP
“Ok, but what if I do need to text and call people?”
I’m so glad you asked.
VOIP is a group of technologies that allow you to call and receive calls over the internet, and many of them include a real phone number that you can use to make and receive calls and text messages just like you were using a regular phone.
VOIP has several benefits:
Firstly, it’s much cheaper than a regular phone plan. I estimated the cost of a few plans based on my current usage, and found I’d be paying about $1.50/month at my highest usage estimates.
Secondly, VOIP isn’t limited to just your phone: you can send and receive calls and text messages from your desktop, which, for me, would be extremely convenient.
Thirdly, it means you don’t have to transfer your phone number anytime there’s a better deal for your eSIM plan! You can just buy the new plan, activate it, and use the same number immediately!
However, there is a downside:
Many mobile apps and websites require mobile authentication via SMS, and some of those will refuse to send authentication text messages to VOIP numbers.
In some cases, such as with Google, you may have the option to receive an authentication call instead, which should work on VOIP numbers. However, many services don’t have a call-authentication option, so there may be services you simply cannot authenticate with.
However, there is a solution to this potential problem:
A Second, Bare-Bones SIM “Plan”
There are very few bare-bones pay-as-you go plans in Canada that don’t require you to pay monthly, but there is one: 7/11 SpeakOut.
7/11’s SpeakOut service doesn’t have a plan that charges less than monthly, but with a SpeakOut SIM card, you can load a balance (at what I’m lead to believe by outside sources is a $25 minimum) without buying an actual plan, and pay $0.35/minute for calling and $0.20/message for SMS, out of that balance (plus $1.25/month in “regulatory recovery fees”), and the balance doesn’t expire for 365 days!
That means that you can buy a SpeakOut SIM card from a nearby 7/11 for $11.25, top it up for $25, and effectively pay $2/month for the number (not including the cost of the SIM card, which, of course, you only need to buy once). If you top it up before the existing balance expires, you should even be able to roll your remaining balance over into the next year.
For avoiding the potential hassle of not being able to receive authentication text messages, this is pretty cheap - we’re still paying slightly less than we would for the American plans (albeit not for unlimited texting and calling). However, it might not be necessary for you, so it’s up to you if you go with this option.
You could also, I suppose, just use the 7/11 SIM instead of the eSIM and VOIP number, but the voip text/call rates are much cheaper, and this way you get data.
Saving Money
Ok, so if you’re only interested in saving money, this is where you can stop.
Here’s the tl;dr for how to save money on your phone bill:
- Buy an unlocked phone with an eSIM (the cheapest of which without a contract is the Google Pixel 3a, which costs about $250 at time-of-writing)
- Cellphones cost a lot of money, so if you don’t actually need a new phone, I’d recommend reading further to Portable Hotspots, since the solution there will cost you much less up-front than almost any phone.
- You can also buy an “eSIM SIM card” from eSIMme for €24.95 (about $36 CAD), which apparently allows a wider range of previously eSIMles phones to use eSIM plans.
- Search esimdb for a plan that fits your needs, and buy it
- Scan the QR code you’re given with your phone and setup the eSIM
- Sign up for whatever VOIP service is cheapest for you, where you live (for me, that’ll be voip.ms, but they don’t have their own app: see below)
- Either use whatever app they provide, or sign up with a provider that provides SIP information and use an open-source alternative
- Optionally, buy a 7/11 SIM card and top it up with $25 yearly (but not an actual plan)
- Throw away your old SIM card, and rejoice at saving a lot of money on your phone bill
- In my case, assuming I bought the 7/11 SIM, I’ll have saved about $15/month, which is more than half as much as my old plan cost, total.
- This is, of course, not counting the one-time costs of $11.25 for the 7/11 SIM itself, and however much the phone/hotspot/eSIMme cost if you didn’t already have one.
- In my case, assuming I bought the 7/11 SIM, I’ll have saved about $15/month, which is more than half as much as my old plan cost, total.
Privacy
Alright, but what if you care about your privacy? I care about my privacy.
SIM cards have low-level access to much more of your phone than you might realise:
- Sure, your provider can spy on your calls and text messages, we all know those aren’t secure (we… do all know that, right?),
- but what about…
- Turning your microphone or camera on and recording you without your knowledge?
- Turning your phone on when you’ve turned it off?
- What about tracking your every move?
Those are all things that your SIM card can absolutely do2, and you only have your provider’s word that they aren’t doing it - and they’re very cagey on the topic of what data your SIM card is sending them over encrypted channels.
eSIMs… have all of these same problems, and you can’t remove them from your phone.
Now, that’s not a major privacy concern for most people: if you own an Android phone, Google Play Services is constantly sending Google a “seemingly unending stream of user information”, and while Apple might be collecting slightly less data on their users, we mostly only have their word to go on for it.
However, if you want to take your privacy seriously, and you’re already using (or willing to switch to) a non-Apple phone that doesn’t have Google Play Services installed, there is an option:
Portable Hotspots
You know how I said you need a phone with an eSIM to use eSIM plans? Well, that was a lie. Sure, the device you use has to have an eSIM in it, but that doesn’t have to be a phone.
Portable hotspots are effectively tiny routers with SIM card slots. They provide internet to your phone or other devices using a SIM card’s data.
The benefit of a portable hotspot is that instead of having direct access to the low-level systems of your phone, the SIM card only has access to the hotspot, which doesn’t have cameras or microphones, and doesn’t house any of your apps.
Now, there are lots of portable hotspots out there, but we need one with an eSIM.
Not only that, we need one with an eSIM that we can use with any eSIM plan:
Because portable hotspots are simple devices without cameras, you can’t scan a QR code with one to switch the eSIM’s information.
Luckily, while most portable eSIM hotspots are locked to a single provider’s eSIM plans, a Chinese manufacturer by the name of Sunhans or eSunFi3 sells exactly what we’re looking for. Their customer-facing page is a little sparse on details, but their product page on globalsources confirms that it supports most Canadian cellular bands, and can be setup with pretty much any eSIM plan using an app.
The app is not open-source, and may require Google Play Services to work (although I was able to install and run it without, so it may work with just microG). However, you shouldn’t need to keep the app on your phone after setting up the eSIM, and if it doesn’t run on your setup, you can either use the GSpace app (which is free, with some intrusive advertisements in the launcher) or use someone else’s phone to set it up.
If you do use GSpace to set it up, I would recommend also uninstalling GSpace after use, because it does all of the tracking Google Play Services does, just without all the information from direct system-level access.
The device itself, which is apparently called the “SHFiEL40”, is about 3 by 3 inches, and about 3/4 of an inch thick. That’s only slightly larger than my phone, and my phone is smaller than yours. It should be extremely easy to carry around in a purse or pocket, and since we’re using VOIP for texting and calling anyway, you don’t actually need to keep it on you you while you’re at home or otherwise in range of WiFi (which is most of the time, where I live).
So, for privacy, we should use a phone that doesn’t have an eSIM built-in, and then use the SHFiEL40 for our data, instead of the phone itself.
VPN
“Ok,” you say, “but how do we keep the cellular service provider - along with anyone whose public WiFi I use - from snooping on what sites I visit?”
Well, with all the money we’re saving on our phone plans (my calculations have me saving about $17 CAD from my previous plan4), we can afford to spend a little of it on a VPN!
VPNs route all of your traffic through their servers, so no websites can recognise your IP, and no internet providers can see what sites you access.
Bonus: you aren’t limited to using a VPN on just your phone. Most VPNs allow multiple devices per account, so you can use one for your phone, laptop, desktop, and likely at least a few other devices.
Now, of course, the VPN provider can see those things, but, Mullvad requires no personal information to sign up, and can be paid for using, among other things, cryptocurrency5 and cash! This means that your internet activity won’t be readily traceable back to you.
Sunhans/eSunFi claims on another of the company’s websites6 that the SHFiEL40 has a built-in Wireguard VPN (an open-source VPN solution that many companies use), so you should be able to setup Mullvad on the device itself, using the device’s WebUI as described in its manual. According to their help centre, Mullvad supplies preconfigured Wireguard configuration files to customers, so the process should be relatively simple.
There are privacy benefits to having your VPN on an external hotspot, as both Android and iOS devices can and do bypass your VPN settings for some system traffic, so this is a great feature.
Additionally, while Mullvad has a limit of 5 devices connecting at a time, the SHFiEL40 only counts as one device toward that limit, and the SHFiEL40 supports up to 10 devices at a time, so you can theoretically expand the number of devices simultaneously using your account to 14 while using data (if you need that many).
Mullvad only costs €5 ($7.22 CAD right now) per month, so we’ll still be saving plenty of money on our bill.
Saving Money and Improving Your Privacy
Alright, so here’s the tl;dr for those of you who do care about privacy:
- Make sure your phone doesn’t have an eSIM
- Either root your phone and uninstall Google Play Services, or install a privacy-oriented ROM onto your phone (such as e/OS, GrapheneOS, or CalyxOS)
- Sign up for Mullvad
- Search esimdb for a plan that fits your needs, and buy it
- Buy the SHFiEL40 from their customer-facing website or from their GlobalSources page (unless another, better or cheaper option has become available after I’ve published this post)
- Setup the eSIM on the SHFiEL40 using the app
- Setup Mullvad on the SHFiEL40, likely using the Wireguard configuration files that Mullvad supplies
- Sign up for whatever VOIP service is cheapest for you, where you live (for me, that’ll be voip.ms)
- Make sure you sign up with a provider that provides SIP information, so you can use an open-source SIP app
- Optionally, buy a 7/11 SIM card and top it up with $25 yearly (but not an actual plan)
- If you’re going the privacy route, you should ideally leave the SIM card out of your phone when you aren’t using it.
- Enjoy significant savings, and significantly improved privacy
- The SHFiEL40 costs significantly less than any model of phone that supports eSIM, so the up-front cost will be lower than if you went the money-saving-only route.
- This is somewhat offset by the fact that the VPN eats into the cost-saving-over-time, so you’ll be saving slightly less money than the cost-saving-only route after about 5 years.
- The SHFiEL40 costs significantly less than any model of phone that supports eSIM, so the up-front cost will be lower than if you went the money-saving-only route.
Ok, But What If I Really, Really Care About Privacy?
“Sure, that’s all great, but look at all those purchases! Surely those can be tracked! What if I need the absolute best privacy for my phone?”
I’m so glad you asked!
Here’s the more complicated set of steps that one might take if they’re trying to do this with as little information leakage as possible7:
- Put on a mask (much more common these days) and sunglasses, as well as a hat to cover your hair if it’s recognisable, and baggy clothing to hide your form (this will be much less weird if you do it in the winter)
- Go to a convenience store and purchase a prepaid credit card, using cash
- If you don’t want your purchases to be connected to eachother, buy multiple cards, and use different cards for each online purchase
- If you really don’t want your purchases connected to eachother, buy them from different convenience stores (this is excessive, even for this section of the guide)
- If you don’t want your purchases to be connected to eachother, buy multiple cards, and use different cards for each online purchase
- Install Linux on your computer, and use it for every subsequent stage of this process
- Download and install the Tor browser (probably through your package manager, now that you’re using Linux)
- Go to Mullvad’s website using the Tor browser, and Purchase Mullvad using cash (I’d recommend paying by the year or longer, to make your life easier)
- Setup Mullvad and use it during every subsequent stage of this process
- Download a privacy-hardened browser such as Librewolf
- Download e/OS or CalyxOS
- e/OS is available on more devices, whereas CalyxOS are limited to a much smaller selection. CalyxOS is a fork of GrapheneOS, but while GrapheneOS is limited to newer Google Pixel devices (all of which have built-in eSIMs), CalyxOS supports the Moto G32, G42, and G52, as well as the Shift6mq and Pixel 3, all of which seem to be eSIM-free.
- Purchase a new phone supported by the ROM you’ll be using, using one of the prepaid credit cards
- If you’re- ok, no, if you’re actually following this guide at this point, you definitely care about privacy enough to take weird, excessive steps like this:
- Set the address to which the phone will be sent to the address of someone who lives near you (and ideally is rarely home)
- Sign up for email alerts on your package using a temporary email service like GuerrillaMail
- Request that the package is left in front of the front door
- When you receive an email alert for the package, wait near the address you sent it to, and after the delivery vehicle leaves, “steal” your package
- Gloat at how extremely private you’re being
- Flash the new ROM onto your new phone
- Search esimdb for a plan that fits your needs, and buy it using a prepaid credit card (and a private or temporary email address, if it requires one)
- Sign up for whatever VOIP service is cheapest for you (for me, that’ll be voip.ms), using a prepaid credit card and a private email account
- Make sure you sign up with a provider that provides SIP information, so you can use an open-source SIP app
- Private email is actually not trivial, but my best recommendation at the moment is cock.li, which is apparently no longer invite-only. Use a separate email address for every account.
- Buy the SHFiEL40 from their GlobalSources page using a prepaid credit card and a temporary email address
- Again, if you’re going the absurdly privacy-scrupulous route, send the package to someone else’s address and “steal” it
- Using your old phone, or the phone of someone else you know, install the app, and setup your eSIM plan with the SHFiEL40
- Setup Mullvad on the SHFiEL40, likely using the Wireguard configuration files that Mullvad supplies
- Feel like a badass, until you realise that most of this was probably unnecessary unless you’re actually on-the-run from one or more governments.
- Still end up saving money, even if you’ve probably wasted a lot of time.
Future Updates
So, if you hadn’t guessed from some of my wording, I haven’t actually tried this yet. I’ve done all the research, and all the numbers work out, but this has seen zero real-world testing.
However, I like saving money, and I like improving my privacy (though perhaps not enough to follow all of the steps in the previous section), so I do intend to try this out! So, I’ll be purchasing the SHFiEL40 sometime in the next few days, and I’ll post updates (and likely update this post as well) with how it goes!
If this works out, I should end up spending noticeably less money on my phone bill. Not only is this good for me, but I’d argue that giving less money to Canadian telecom companies is a direct moral good: everybody wins!
Update 1: 911
It seems that maybe I was mistaken about needing a SIM to call 911 in Canada, so I’ve removed any references to that.
Update 2: Initial Impressions
Everything has arrived!
Porting my old phone number to the VOIP plan took a little longer than I was expecting, because I missed the confirmation text the first time. Unfortunate, and that meant it took long enough to transfer that it rolled over into the next month (I had started late in the month, to get the most of the last month I’d already paid for with my old provider). I was able to preemptively switch my old plan to renew on their cheapest plan, but that’s still $15 extra in initial costs I wasn’t planning on spending.
The VOIP plan itself is working extremely well, except that the app I want to use (Linphone) has issues with the somewhat-nonstandard way the provider I chose (voip.ms, and apparently literally just them) handles SMS messages. There’s a setting to still show the incoming messages despite that issue (disable Chat>Hide chat rooms from removed accounts
), but it does still group incoming messages separately from outgoing ones. This is definitely fixable by either switching SIP apps or VOIP providers, but it’s still annoying.
The eSIM plan I was looking at apparently has really poor-quality service, so I’m currently on one that’s about $13 CAD, instead of the $7 I was expecting (for 3GB/month). Luckily, it’s very easy for me to switch the eSIM plan for a cheaper one when I find a better deal.
I have not yet gotten around to purchasing or setting-up the VPN plan.
The eSIM router was relatively easy to setup, although the app did not function without Google Play Services or GSpace.
Because the router is on a limited data plan, it’s a good idea to set it as a “metered connection” in your phone’s WiFi settings. This will make your phone prefer other, non-metered networks over the hotspot, so you can avoid accidentally using more data than you intended to.
The router has a 3060mAh battery, which will generally last it about as long as my phone (with a similar battery capacity) will. However, while the router itself is generally pretty simple to use, it requires me to login to its webui to enable cellular data every time after restarting it. Additionally, the webui login interface is inexplicably broken on mobile (even in browser desktop mode). This makes it very difficult to save power by turning the device off while not in use.
However, I’m smart, and the router’s security isn’t particularly complex, soooo:
Fixing The Annoying Issue with the eSIM Router
I watched my network traffic through the browser tools while logging into the router’s interface and while enabling the data connection. Turns out, it’s very simple!
- Both actions send an HTTP POST request to a specific path in the router interface’s ip (http://192.168.0.1/cgi-bin/ajax_get.cgi).
- The only piece of data that matters in either is the
content
value, which is html-encoded xml data. - The login request sends the following (non-html-encoded, so you can read it more easily - except for
%01
, because that won’t print right in this context):which_ajax=api/user/login%01xmldata=<?xml version="1.0" encoding="UTF-8"?><request><Username>USERNAME</Username><Password>PASSWORD</Password></request>
(obviously with my username and password replaced with the stringsUSERNAME
andPASSWORD
). - The request to enable the data sends
which_ajax=api/dialup/mobile-dataswitch\u0001xmldata=<?xml version=\"1.0\" encoding=\"UTF-8\"?><request><dataswitch>1</dataswitch></request>
.
So, all I need is something that’ll let me easily send HTTP POST requests from my phone - ideally from somewhere convenient like my homescreen.
Something that’ll let me easily send HTTP POST requests from my phone’s homescreen.
Oh, great! And it’s open-source!
So then, we open that app, and create three shortcuts:
- First, a “Regular HTTP Shortcut” with the
POST
method and thehttp://192.168.0.1/cgi-bin/ajax_get.cgi
URL, a body value ofwhich_ajax%3Dapi%2Fuser%2Flogin%01xmldata%3D%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3Crequest%3E%3CUsername%3E<<YOUR_USERNAME>>%3C%2FUsername%3E%3CPassword%3E<<YOUR_PASSWORD>>%3C%2FPassword%3E%3C%2Frequest%3E
, a content type oftext/xml
, and “Response Handling” options that aren’t too intrusive (I went with toast popups on failue). - Second another “Regular HTTP Shortcut”, with the same method, URL, content type, and response-handling options, but with a body value of
which_ajax%3Dapi%2Fdialup%2Fmobile-dataswitch%01xmldata%3D%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3Crequest%3E%3Cdataswitch%3E1%3C%2Fdataswitch%3E%3C%2Frequest%3E
. - Last, a “Multi-Shortcut” with both of the previous shortcuts.
- Now just add the widget to your homescreen, and after whenever you connect to the hotspot, click that button to enable it!
Great! Problem solved!
Overall, there have definitely been some hurdles, but it’s looking like there’s only one minor one left to overcome (the SMS issue), and then I should be issue-free!
See you in the next update!
Update 3: VPN and Automation
I finally got around to buying Mullvad!
I went about it the difficult-but-better way (mailing them cash, although I might try using Monero when I renew in a year), so it took a few weeks for my money to reach them and for them to add the time to my account.
Setup on my phone and desktop was dead easy (they have a very nice little app for it).
VPN on the Hotspot
I was initially going to also run it on my wireless hotspot, as implied in an earlier section of this post, but I ran into two issues:
1: I couldn’t figure out how to get my phone to automatically disconnect from the VPN locally when it connected to the hotspot (which could cause issues if the hotspot was also running the VPN).
2: I had some minor issues setting up the VPN on the hotspot (with it enabled, I couldn’t connect to any sites, so presumably something was wrong with my config).
In addition to those issues, my current phone is rooted, has Google Play Services uninstalled, and uses AFWall+, so I’m pretty sure there aren’t any system services that are privileged and bypassing my on-device VPN.
For these reasons, I didn’t bother figuring out issue #2. If I eventually run into a way to solve issue #1, I’ll probably try again at #2 and post about it here.
Automating Enabling the Hotspot
I mentioned in a previous section that I was annoyed by the hotspot not automatically enabling its connection when started.
I solved this problem at the time by using an app to add a shortcut to my phone’s homescreen that would send POST requests to the hotspot to login and enable the network.
However, during all the fiddling around I did with automation in order to try to automatically disconnect from my on-device VPN when I connected to the hotspot, I found a better solution!
Easer is an open-source automation app available on F-Droid, and unlike apparently every other automation app I’d previously looked at, it both A: is actually functional, and B: supports making HTTP requests!
So, loosely-following this guide for setting up similar automation for OpenVPN, I was able to set it up to automatically send the login and enable requests to my hotspot whenever I connect to it.
I won’t go into too much detail on how I did this, because it’s relatively simple if you’ve read the rest of this post and are looking at the linked guide, but here’s the basics just in case:
- in Easer, go to the Data tab
- create an Event for detecting when you’re connected to the internet (as described in the aforementioned guide)
- create a Condition for detecting whether or not you’re connected to the hotspot’s network (again, as described in the guide)
- create another Condition for the 5G version of the hotspot’s network
- create a Profile, and add 2 “HTTP request” Operations to it
- set them both to POST
- set the URL for each to
http://192.168.0.1/cgi-bin/ajax_get.cgi
- set the content type for each to
text/xml
- set the POST data for each respective request to the data from each respective action described in the previous update
- go to the Pivot tab
- create a Script for detecting whether you’re online, as described in the guide
- add a child to that Script for your hotspot’s network, and another for the 5G version
- for both of those child Scripts, set the profile to the one you created for enabling the network
- go to the Outline tab and start the service
- go to the app’s settings, and set it to autostart with your device
- start your hotspot and connect to it, to make sure the automation is working
This worked excellently for me, and I hope if you’re in a similar situation it works well for you too!
- I’ve heard tell of 1GB unlimited call/text plans for as low as $5.50 USD, but wasn’t able to confirm those. You can probably find cheaper than I did if you look harder, but I don’t live in the USA, so I didn’t have much incentive to look very hard.↑
- And the last of them - constantly tracking your location - it definitely is doing, because that’s a necessary part of connecting you to the cellular network.↑
- In my experience, a Chinese tech company going by multiple names is extremely common, and not particularly a red flag.↑
- This is actually an introductory offer I don’t qualify for: my plan is actually this one with a permanent free +2GB of data. You’ll notice that this is slightly more expensive and noticeably slower than the introductory offer, with less data: this is one of the many reasons I hate introductory offers.↑
- Most cryptocurrency exchanges require personal information to sign up, and can be traced extremely easily, so I’d recommend either using cash, figuring out how to buy cryptocurrency without an exchange (which is more work), or using Monero, which has measures in place which make it much more difficult to trace purchases.↑
- Really, I swear, this is just what Chinese tech companies are like.↑
- Some of these steps are rather excessive, but I might actually try out some of the less-excessive parts, just for fun.↑