Your old cell phone data can reemerge from the past to haunt you. Whether it’s because sellers are lazy or naive, cast-off phones still contain troves of information about their former users. And as phones get smarter, they’re ever more likely to hold bank account passwords, personal email, or private photographs that anyone with the right kind of motivation could exploit.
PCWorld's previous investigations have shown that people don't properly erase the data on their old computer hard drives before they dispose of their laptops and desktops, even when the data includes their own sensitive information and that of others. And consumers seem to be just as uninformed when it comes to eliminating the data on their old phones.
To see just how critical the problem is, we bought 13 Internet-capable phones from various sellers on eBay, small businesses, and flea-market stands in the San Francisco Bay Area. We found that 5 of the 13 phones still had information on them.
The first incompletely wiped phone we purchased from a reseller had call-duration data still on it--proving that some of your information, however anonymous, will remain on the phone even if you perform a proper factory reset. Another phone we bought from a company that claimed to specialize in cell phone recycling arrived with contact information, voicemail, and text messages on it. Two phones purchased from flea markets in Oakland, California, had considerable amounts of email, text messages, contact information, and photos on them; and one phone we bought from an individual still had email and contact information on it.
Wipe Your Phone and Check It Twice
Smartphones usually have at least two stores of memory: a SIM card, and the phone’s internal memory. Many phones also have additional data stored on removable SD Card media. The SIM and SD cards had been removed from all the phones we purchased. But people seem to forget (or not know) about wiping the phone's internal memory. That’s where we found data on the five phones that still contained some. Removing the SIM card stops the phone from communicating with the network, but doesn’t erase the email and contact lists already on the phone.
One of the phones we acquired for this article was a Samsung BlackJack II purchased off eBay. The seller was Rebecca May-Cole, executive director for the Pennsylvania Behavioral Health and Aging Coalition. The phone had belonged to a temporary employee who worked under May-Cole doing outreach for senior depression and mental-health issues; when the employee’s grant ended, May-Cole decided to sell the phone.
The phone arrived at PCWorld's office with the SIM card removed, but its internal memory contained email and contacts from the month before. Worse, the BlackJack II is a Windows-based phone, so when we hooked it up to a computer, we were able to access a few downloaded documents that weren’t immediately visible on the phone’s interface.
“Oh my gosh, how embarrassing,” May-Cole groaned when I contacted her. “I took out the SIM card, which I thought deleted all the information off it, and I didn't even think to check out the phone before we sold it.” In May-Cole's defense, that is how older feature phones used to work: The SIM card kept most of the contacts, text messages, and call history that supplied the phone’s memory. But phone manufacturers have long been adding more and more internal memory to smartphones--which means that merely removing the SIM card does less and less to protect your information.
Of course, for each of the 13 phones, after we contacted the previous owner or seller, we offered to give the phone back to the original user or destroyed the information.
Don't Count on Companies to Wipe Your Data
One of the phones we bought was a Verizon LG Dare from G0g0gadgets, a subsidiary of a company called Access Computer Products based in Loveland, Colorado. When the phone arrived, it contained considerable amounts of data about the previous user, including several text messages with pictures of a couple kissing, and even one with a toddler and a message underneath that read “cute little baby cuz.”
When we checked the phone’s Electronic Serial Number with Verizon, the carrier reported that the phone had been listed as lost or stolen, even though G0g0gadgets’ eBay listing did not mention a bad ESN. Even with a bad ESN, a cursory factory reset of the phone would have erased the previous owner’s information.
Amanda Maes, a representative of G0g0gadgets, responded: “Our phones are supposed to be cleared; I'm not sure how that slipped through the cracks. I can look and see who tested these phones, and we can make sure things are done to our standards in the future.” She also said that G0g0gadgets maintained about 600 listings on eBay at any one time and sold about 100 phones a day, and that the company employed two people to clear and refurbish the phones. Those two people were not available for comment, nor has the manager of the company returned our call asking for comment. Update: A manager at Access Computer Products, Brian Lesser, contacted us on Monday, after we tried to reach him Friday morning. He said G0g0gadgets would be reinforcing it's policies and procedures with staff to make sure these types of breaches don't happen again.
Such an egregious violation of the original owner’s privacy is probably not as uncommon as you’d imagine. Negligence in handling old phones is easy to get away with because the barrier to entry in the tech-recycling business is fairly low: The business requires almost no overhead (all you need is a bunch of old phones and an eBay account) and provides relative anonymity, so it’s no wonder that incompetent or apathetic resellers might jump on the “recycled phones” bandwagon and compromise your safety and the security of your personal information.
More-reputable companies such as Gazelle.com, a tech reseller based in Boston, know firsthand that people are careless with their information. Kristina Kennedy, a senior manager at Gazelle.com, says that 50 percent to 65 percent of phones that come to Gazelle’s warehouse each day have the previous owner’s information in them. To deal with that, the company trains its staff to perform a manual factory reset on each device that comes through the door, along with destroying any SIM cards and formatting SD Cards that may arrive with the devices. (For the record, we purchased a phone from Gazelle without the company's knowledge, and found it completely clean of information.)
PCWorld also bought two phones from Jason Mills, who runs a company called SoonerSoft out of his living room in Oklahoma. Mills receives thousands of used phones at a time, shipped to him from phone companies that pass the castoffs to him to wipe and resell. When we asked how many phones come to him with at least some of the previous user’s data intact, he answered without hesitation: “Oh, probably 99 percent. People don't wipe their phones and they should--it's not smart. I get business phones with email that competitors would love to get their hands on--oil and gas companies, I got phones with information about lands and mineral rights.”
People who don’t know how to properly wipe a phone might assume that middlemen like Mills will wipe the phone as part of the reselling process. Clearly, however, not every phone dealer is as honest as Mills. And the fact that so many customers take such a nonchalant attitude toward clearing their phones before selling them to strangers means that there’s a lot of low-hanging fruit for identity thieves and other people of dubious motives.
One critical thing to remember is that no regulatory body is forcing used-phone sellers to delete data. The National Institute of Standards and Technology, for instance, has issued only a guideline for wiping used phones. And although the Department of Defense has released a standard to wipe the hard drives of desktop computers, the DoD has no equivalent for smartphones. Unless you do your research, expecting another party to wipe your phone is like playing identity-theft roulette.
Next page: Your Smartphone Is an Accident Waiting to Happen