urgent questions about leaking my use of grapheneos to carrier with kyc

carrierquestion

this is somehow urgent, any help is appreciated

sorry if those are noob questions, i am just a normal person with very basic tech and english knowledge

i will need a mobile data plan against my wishes, and it is impossible to have that without giving personal info to the carrier in this country - silent link is expensive and not an option, same goes for mobile routers - that means i will be forced to register it on my real name. i am "okay" with location and imei/imsi logging as long as i am in control of which locations get leaked and when, however...

the boxes i need to check are:
1. i do not want the carrier knowing i use grapheneos and obviously tying that to my real name because, like, 0,001% of people use this os here and i do not want to stick out unnecessarily by being put on lists or something
2. i can not leak my home address

i will be using airplane mode 97% of the time, and never deactivate it anywhere near my house
therefore only using data when needed, which checks the second box (i hope so, correct me if im wrong)

i know graphene makes some default connections to their servers.

considering i will need to use mobile data without a vpn at first. in order to activate the service, and that no other apps are installed:

a. is there any way i can prevent the phone from connecting to all default servers which mention grapheneos, at least until i activate the service? is that by removing specific permissions, or what? it looks like some of these connections cant be disabled

b. after activation, i will be using an always on vpn. are there any connections to aforementioned servers still leaking even while on vpn? connectivity checks will be set to disabled at all times, but what about the rest?

is this even possible, am i missing something?

c. what happens if i switch profiles? lets say i configured everything and am now using mobile data + vpn in a dedicated second profile with tidy owner setup. then, i activate airplane mode and switch to a third profile - one at a time, not running in background - dedicated to wi-fi only anonymous tor browsing. can my anonymity be compromised that way even without using mobile data and having sms/calls disabled there?

thank you for any answers and thank you graphene devs, you are amazing

Blastoidea

It is my understanding that you will stand out simply by using GrapheneOS, especially if you are part of 0.001%.

I’m not at all sure how it works though.

I’m not a wizard either, so maybe I’ll learn along with you.

[deleted]

Blastoidea nice to see you around again

GrapheneOS

You should use a VPN in each profile and set the connectivity check mode to standard. By default, GrapheneOS enables the toggles for always-on VPN and blocking leaks when you add a VPN supporting them. Please read https://grapheneos.org/faq#default-connections.

carrierquestion

GrapheneOS

sure. however, my concern is regarding the first steps after inserting the sim card for the first time into the phone. i cant mess this up, there is only one chance so i must be as sure as i can. i would appreciate your official clarifications again if possible, thanks for the answer

the carrier explicitly tells me to deactivate wifi and use "pure" mobile data (that is, without vpn) when accessing the website in which i will register the sim. i know because i have done it before, i think it is used to prove something i do not understand, probably ownership. but i did not try to do it while having a vpn on before because i wasnt privacy oriented. now i have no other way/phone to test this, only the graphene one

scenario 1: supposing i cant register and they do require me to disable vpn
the default graphene connections will be naked to the carrier, therefore ruining what i need. what i ask is, is there any way to disable all of those while i finish the activation process and can finally enable vpn? i could risk it and disable network permissions/change settings for everything i can under the default connections list you sent, but i dont know if this is enough or if there is any i cant change at all.

scenario 2: supposing i can activate it while using a vpn from the start and having connectivity checks set to standard to blend in (unlikely)
if i have airplane mode enabled and wifi disabled, along with a vpn running in the background (waiting for a connection since the phone starts) and set to auto-connect and always-on, then turn my phone off, insert the brand new/unconfigured/unregistered sim card and turn it back on.
can i 100% guarantee that the airplane mode will not be turned off and that i will be able to connect to the vpn using the new cellular connection with no leaks at all? wont any system setup regarding the new sim pop up and mess something up, especially without my knowledge? can i safely switch between wifi and LTE while connected to vpn with no issues?

sorry for any misunderstandings, i have read the link but as i said, my comprehension is limited and i want to make sure. thanks

carrierquestion

GrapheneOS

carrierquestion

quoting this again because i cant edit it anymore

i mentioned they require me to activate the sim by visiting a website without a vpn.

i confirmed that they moved to an app for that and the website is no longer available, but i still cant be sure about the 'no vpn' requirement, which i think holds true as for likeliness. i would rather not install an app, but it is what it is. at least they wont know i use vanadium

i have the apk ready and it will be uninstalled once i get the sim card and am able to activate it, i will just wait for more replies so i can be sure i wont mess this up

other8026

@carrierquestion

If all you need to do is register the SIM and don't want them to know you're using GrapheneOS, then why not flash Stock again, register with your provider, remove the SIM, flash GrapheneOS, set internet connectivity checks to Google's servers, set up VPN on all profiles you plan on using, then inserting the SIM?

If you want to be 100% sure your OS is not revealed, this is the only way I can think of going about doing it, especially considering they're requiring you register using an app.