Ontario teen's photos, info ended up in someone else's hands after she traded in her broken iPhone
Stranger who bought 15-year-old's refurbished phone had access to her social media accounts
After shattering the screen of her iPhone, Natalie Hall thought the device was basically junk.
She never expected it to wind up 11,000 kilometres away, in the hands of a man who used it to add himself as her Facebook friend and to follow her private Instagram account.
But last week, a man messaged the 15-year-old on Facebook, saying he had bought her used phone in Dubai and the device still had all of her data on it. To prove it, he sent Hall a screengrab of her old phone's camera roll, commenting on the "sweet" photos of the teen, her friends and her dog.
"I was overwhelmed," said Hall, who is from Bowmanville, Ont. "It's creepy having your pictures and your contacts and your social media, text messages — all of that kind of stuff — out there with just a random stranger."
Broken phone traded in for $11
Hall said she could hardly type two characters on the badly damaged screen of her iPhone 5s before it would stop working. So she and her mom traded in the device last fall at a mall-based kiosk, getting $11 off a new phone from mobile retailer TBooth.
Hall said she assumed her old phone had been recycled.
"It was so broken — to the point where the guy I sold it to couldn't even use it himself," Hall said. "For people to say that it's common sense to wipe your phone, I don't know if your phone is that broken."
The phone was instead refurbished and eventually ended up in the hands of the man who reached out to her on Facebook.
It's creepy having your pictures and your contacts and your social media ... out there with just a random stranger.- Natalie Hall
The man initially asked her multiple times to accept his friend request, Hall said. But when she didn't, the man went into her Facebook account using her old phone and added himself.
The same thing happened with her Instagram account, Hall said.
"He had liked all my posts and I was like: I have a private account, I didn't accept this," she said. "I had to change my passwords for everything."
Hall has since blocked the man from her social media accounts.
Man says he wiped phone and sold it
CBC Toronto reached out to the man who was contacting Hall on Facebook. In a series of messages, the man wrote he was sorry for disturbing Hall, and that he's since wiped all her data from the phone and sold it.
The phone was part of a bulk purchase of used phones he made in Dubai for resale purposes, he said, although he's since returned to Pakistan. The man told CBC Toronto the stock he buys normally comes from the U.K., Canada or the U.S.
Meanwhile, Hall's mother, Janet, says she's felt "powerless" since her daughter told her about the situation.
"I felt so sick for her," Janet Hall said. "For $11, I would have definitely just kept the phone … I didn't realize the dangers."
Janet Hall said she remembers scrolling through terms and conditions at the mall kiosk when she and her daughter went to do the trade-in, but she admits she didn't read the whole thing before agreeing to the terms. She said she wishes she'd been told upfront that the phone might be refurbished so she could've made sure all of her daughter's data was wiped.
"We were excited about the purchase of her new phone," said Janet Hall. "We weren't really concerned about the trade-in of her old phone and where it was going."
The terms and conditions of TBooth's trade-in program state that it is the customer's responsibility to "delete all data from the trade-in device before you trade it in," and the company "cannot guarantee that any data left on the device will be deleted or not deleted."
The company's website also says old devices are sent to a "recycling partner" for assessment and that they may be either refurbished or dismantled for scrap.
Protecting your personal data
Deleting data is a little more complicated than you might think.
Ahmed Bafagih buys broken phones like Hall's every day through his company, GizmoGrind, and says most people aren't taking all the necessary steps to protect their personal data.
"A typical factory reset doesn't necessarily mean your data is erased," said Bafagih. "It's just saying your device is now cleared for other data to be written on top of it."
Even though you can't see your data anymore after a reset, Bafagih said a stranger could still access it by downloading software to extract it from your device.
"A 10-year-old with a Wi-Fi connection can do it," Bafagih said. "It's only one Google search away."
There is an exception, according to Bafagih and other tech experts consulted by CBC Toronto. On newer iPhones, it has become much harder to recover data after factory reset, because the data is encrypted.
To protect against potential data recovery, Bafagih's company pays for software that overwrites the data on used phones a number of times to make sure the old, personal data can't be accessed.
And he said there's a free way to do it: you just have to overwrite your data with new files. Here's how he says you can do that:
How to overwrite your phone data yourself
Step 1 - Go to your phone's settings and reset the device.
Step 2 - Download some large files, like videos.
Step 3 - Upload the large files to your phone.
Step 4 - Go to your phone's settings and reset the device again.
Unfortunately, Bafagih said, those steps might not have helped Natalie Hall. It all depends on how damaged her phone was, he said, and if she could still operate it.
"If your phone is broken and you want to sell it broken, make sure you're selling it to a company that will perform this extra step: a software-based data eraser," said Bafagih.
"Ask — and then re-ask. You want to make sure they're going to do that."
With files from Chris Glover