Will using a mobile hotspot give more or less privacy?

AuroraByte

Just because I'm curious about this. My threat model is basically Google etc, not state agencies.

So I'm using GrapheneOS which of course reduces my trackability greatly. I saw a video of Naomi Brockwell suggesting to use a mobile hotspot rather than connecting the phone itself to cellular, because while the mobile hotspot is of course tracked by the carrier, there's simply much less data it can leak, compared to a phone. That makes sense to me, and I might start doing that just to see how far I can get down the privacy rabbit hole while still being able to surf the web when I'm out and about.

Now, what if I use another phone as a hotspot? In this case it would be an older Zenfone that I would use without logging in, and disabling everything I can that would be "phoning home" like pre-installed Asus telemetry whatnots. Those that can't be disabled can hopefully be blocked with Rethink or something like that.

The phone hotspot would obviously be linked to me since it'd be using my SIM. But as a hotspot, it would practially "hide" my GrapheneOS phone, right? The Zenfone itself, if properly degoogled, should transmit only an encrypted stream of data.

de0u

AuroraByte My threat model is basically Google etc, not state agencies. [...] The phone hotspot would obviously be linked to me since it'd be using my SIM. But as a hotspot, it would practially "hide" my GrapheneOS phone, right?

If the goal is concealing something about the phone from Google in particular, or, say, from Google and Meta, then whether injecting a hotspot between the phone and the carrier would or would not conceal those things is not answerable yet, as follows:

We don't know what about the phone it is hoped would be concealed,
We don't know what is running on the phone.

For example, if Google Play plus Google Messages is on the phone and RCS is being used with ICC identification turned on, then Google has access to device identifiers no matter which hotspots, VPNs, etc., might be in use. And actually Messages would probably fail to enable RCS without the SIM card being in the phone.

If the phone will be running privacy-invasive software, it will be very difficult to get the privacy-invasive software to behave in a privacy-respecting fashion. If the phone will not be running privacy-invasive software then is not clear what injecting a hotspot will accomplish, especially if the hotspot is more easily compromised than the GrapheneOS phone.

ClickClickDrone

NOTE: This is just my five cents, please correct me if I am wrong.

I'm pretty sure it doesn't matter, because in the end, you'll be browsing through the same IP endpoint, since the connection to the carrier will get allocated the same public IP regardless of which device the SIM card is inserted to, thus the carrier can track you through that.

But, for your threat-model, all this wouldn't matter anyway, because Google & friends cannot easily track your cellular usage. Unless you're using Google Fi, of course.

I'd actually recommend you use it on your GrapheneOS device, because I am pretty sure less sensitive permanent identifiers get leaked to the carrier, thus improving your privacy.

So, to summarise, the privacy benefits are basically none and, most importantly, you likely just make it harder for yourself, because you now have to phones to keep up-to-date and maintain and keep secured (remember, there's no privacy without security).

Good luck!

AuroraByte

de0u Thank you. I have Google Play Services on my phone (hope to get by without it in the future, of course) as it's needed for a few apps. So Google has some access to some things, and I didn't manage to enable RCS without it. However, I can receive both RCS and regular SMS when connected only to wifi (cellular disabled). Not sure if removing the SIM physically would make a difference.

de0u is not clear what injecting a hotspot will accomplish, especially if the hotspot is more easily compromised than the GrapheneOS phone.

I assume it wouldn't accomplish much in my case since GrapheneOS by itself probably offers more privacy and security than what I'd get with a regular phone and a hotspot. I get the reasons for using a hotspot with a googled phone.

Using another phone as a hotspot likely only adds telemetry in my case. I just don't know what exactly Asus and Google (and others?) would pick up from that phone.

In any case, since both calling and messaging work just fine on wifi, I'll turn cellular off when I'm in the range of wifi. That'll reduce carrier tracking at bit, at least.

de0u

AuroraByte In any case, since both calling and messaging work just fine on wifi, I'll turn cellular off when I'm in the range of wifi. That'll reduce carrier tracking at bit, at least.

It is best to assume that motivated entities know where most Wi-Fi networks are located. If Wi-Fi calling / VoWiFi is enabled, one way or another the carrier probably knows the device's location.