Cellular network operators can track the location of cell phone users as they connect to different towers. Operators may not directly control the user’s phone, but they do supply and control the SIM card that identifies the user. We seek to preserve a cellular phone user’s location privacy from cellular network operators. We propose the ZipPhone protocol for secure, virtual, and therefore easily changeable SIM cards. ZipPhone breaks the association between the user and IMSI identifier, and thus prevents the cellular operator from localizing the user. At the same time, it still allows authentication, billing, and E911 service by the operator. We empirically analyze the effectiveness of ZipPhone against a passive carrier. This class of attacker has a location profile of the user before they switched to ZipPhone, but relies on the normal operation of GSM mechanisms to learn the location of users. We reproduce the results of a previous inference study and show that it did not realistically model GSM carriers. We show that ZipPhone users can expect to be deanonymized only 6% of the time, which is a sixth of the rate reported by previous work.