19 percent of secondhand phones sold on eBay still contain sensitive data that could be used to identify the previous owner, according to a new study by the University of Hertfordshire and commissioned by Comparitech.
University of Hertfordshire researchers purchased 100 secondhand phones via Ebay to find out whether they could extract identifiable data from previous owners. The researchers performed forensic analysis on a wide range of devices from high-end smartphones to conventional mobile phones with no internet capabilities.
19 percent of the phones contained data from previous owners, and 17 percent had data that could be used to identify those previous owners, along with other potentially valuable remnant data. The information included thousands of private emails, intimate photos, contact lists, text messages, tax documents, bank account details, web browsing histories, and personal calendars.
In the wrong hands, the personal data found on these devices could be used for a range of crimes including identity theft, fraud, extortion, and targeted phishing.
Researchers conducted their forensic analysis of the secondhand phones using publicly available tools that can be downloaded from the web.
52% of phones were properly wiped
The phones analyzed cover a wide range of ages and operating systems, including Android, iOS, Blackberry, Windows, and conventional “dumb” phones. The oldest was a Motorola from 1996. “The purpose of including a wide range of devices was to compare the amount of data that could remain in conventional devices in relation to more technologically advanced devices,” researchers explain.
Researchers attempted to create an “image,” or exact copy, of each phone’s memory for analysis. Of the 100 phones examined, 28 could not be imaged. These were predominantly the older devices, which researchers admit is a weak point in their methodology. In future research, they say they will focus on newer devices. University of Hertfordshire researcher Olga Angelopoulou explains:
“In reality some of the older/ conventional devices could not be imaged as they were incompatible with the tools or were not functioning. Those that were imaged and analysed mainly contained some text messages, multimedia messages and contact lists. On the other hand, the more recent devices that had not been reset to the factory settings mostly contained some ex-user PII or fully retrievable ex-user PII. In fact, in those occasions that we managed to fully retrieve an identity was from a smartphone.”
52 percent of all the devices purchased (74 percent of the successfully imaged devices) for the study were reset to factory settings, evidence of an attempt by the user to erase personal data.
19 percent of the phones (26 percent of the successfully imaged devices) contained data from previous owners. In most of these cases—17 percent of the total sample—personally identifiable information was retrievable and could be used to identify a previous owner of the handset.
What data did the phones contain?
Researchers retrieved personally identifiable information from 17 percent of the phones purchased for the study. Some examples of the data on those phones included:
- A P11D Expenses and Benefits form for 2012-13 that contained: employer’s name, PAYE reference, payroll number, National Insurance Number, and date of birth.
- A contact list with 30 entries, including the previous owner’s number, a recent calls list, and 114 text messages including sexts and seven multimedia messages.
- Phone number, email address, and bank account details. 532 personal pictures and 16 videos. A list of calls made between October 2015 and January 2016.
- Several social media accounts that were still logged into including Facebook, Instagram, and Skype.
- Apple ID and password, eBay username and password, 408 pictures, and web browsing history.
- Contact list and recent calls, as well as four email accounts.
- An email account that was logged into and still active.
- Evidence that the phone belonged to a child from Ringwood, Hampshire, with contacts and notes.
All of the phones were purchased on eBay between January and June, 2018.
Why do people leave data on their phones?
52 percent of the phones analyzed had been reset to factory settings, showing that the majority of users took steps to protect their personal information.
“Modern smartphones and tablets offer several advantages related to communication and accessibility to their users,” the researchers explained. “The low level of effort it takes a non-technology or computer literate user to reset their device to the factory settings is indicative of the results from the study.”
17 percent of the phones contained information that could be used to identify the previous owner. That means the seller either made no attempt to erase the data or did so inadequately.
Comparitech teamed up with the University of Hertfordshire on similar studies focusing on secondhand memory devices, including USB drives and SD cards. Over half of those devices still contained remnant data from previous owners, so secondhand phones were properly wiped far more often.
Researchers suggest that it takes much less effort and knowledge to properly wipe a phone than it does to wipe memory devices.
Still, a significant number of people failed to erase personal data on their phones before reselling them. This could be due to a lack of understanding of how to properly delete data, a lack of concern in an era of data sharing and social media, or failure to understand the risks of exposing personal data.