How to wipe personal data from discarded devices a mystery for some, researcher says
'For a lot of users, they just didn't know a better way,' says researcher Jason Ceci
People selling an old smartphone, tablet or laptop may be unaware the device may still contain easily-accessed personal data before recycling or selling the device.
Researchers at the University of Guelph contacted 131 people who had advertised their device online for sale. Although a majority had used a factory reset to clear their personal information from the device, over one-third had not cleared their devices properly. And many had not deleted the data at all.
Some had deleted their information using insecure methods, such as manually deleting data themselves, researcher and masters student in computer security Jason Ceci says.
The problem with trying to manually delete everything is that it's stored in many places, associated with a variety of apps and it's easy to forget to dig it all out.
"They often forget about some stuff like their browsing history or their website logins or location tracking data," Ceci said.
"The other problem with manually deleting data is it's recoverable if you just manually delete it rather than using a proper factory reset or security or a function."
Data security symposium
The study was presented this week at the Symposium on Usable Privacy and Security, which took place virtually. The study included both the online survey as well as interviews with survey participants.
"Although several previous studies have estimated the scope of the problem, this study is the first to investigate this from the users' perspective to understand their decision-making processes," co-researcher Hassan Khan, an assistant professor in Guelph's school of computer science said in a release.
The study did list some limitations, including that it relied on participants to report their own behaviours and that the age range skewed to people 30 and younger because advertising for the survey was done online due to the pandemic, which may not have reached older adults.
And the sample group itself was not large.
Some 'didn't know a better way'
Ceci said in many cases, people just didn't realize they were leaving sensitive data on the device.
"For a lot of users, they just didn't know a better way. Or, it was the easiest way just to do it wrong and give it away," he said.
"Some of the devices that people have, don't make it very easy to securely remove data," Ceci said, noting some older laptop computers required a multi-step process to delete all information.
"It was difficult for the average user," he said.
"It's getting a little better... Windows 10 has a 'reset my PC function' where it asks you if you're going to be donating or selling the device. And then if you click yes, it says it'll take longer, but it'll securely erase everything," Ceci said. "And then you can be more confident in selling or donating the device, which is ultimately better for everyone."
Holding on to devices
There were also many people who said they simply held onto an old device instead of tossing it or recycling it if they were concerned about privacy
"Sometimes devices are not functioning and then you don't have the charger anymore. That's where it becomes a grey area, where it's not really known what's the best course of action with that kind of device," Ceci said.
Some of the respondents found old phones or devices during spring cleaning and just donated them, not knowing what was on them, Ceci said.
"There are some potential for privacy leaks there, but without an easy way to wipe a device that's dead, there isn't currently much you can do without destroying the device."
Manufacturers, retailers could help more
Khan says there are growing reports of people finding unusual photos or information on devices they got secondhand.
He said manufacturers and retailers can play a role in ensuring people can safely delete their information from a device.
"Artificial intelligence techniques could be used to detect when users are disposing of their device, such as when users are manually deleting data across the device, and then guide them to perform a secure procedure," Khan said.
"Retailers who accept used devices for resale or recycling should be transparent about how they will sanitize the devices."