A small experiment by Card Protection Plan (CPP) in the UK has shown that over 50% of used phones still hold personal information. However, this doesn’t appear to be due to customer indifference to data security. Rather, it’s the nature of how data is stored on phones. Perhaps, the use of encryption software, not unlike AlertBoot, would be best — with some modifications, that is.
80% Claim to Wipe Data
CPP purchased used phones on-line and other sources for testing. In total, 35 cell phones and 50 SIM cards were tested for any traces of personal data. A little over half, 54%, contained personal information, including credit card numbers, debit card numbers, PINs, and passwords. Photographs, contact information, and login details to websites were also found (presumably for smartphones).
This does not match up to claims by 81% of people who state that they wipe their phones and SIM cards before offloading them. Furthermore, 50% of used cell phone owners admitted that they found previous owners’ information, which is more in line with the experiment’s results.
The discrepancy between 81% and 50% is too big to ignore. What’s going on? Are people lying or recollecting events incorrectly? It wouldn’t be the first time that happens on a survey. But it could be something else.
How Do You Wipe Phone Data?
The study noted that “manually wiping the data was the most common method to delete information.” I find that the above quote could have been better explained. I mean, what is “manually wiping data?” Is it when you go through the phone’s menu, find the appropriate section, and press OK? Or is something else, like resetting back to factory settings, or what?
(Automatic wiping, of course, is pretty well-established: it’s when you type in the wrong access code too many times, and the phone automatically wipes your data. Usually, some flavor of disk encryption is involved. More on this later.)
CPP hasn’t revealed how they recovered the information from their purchased objects. The easiest method, obviously, is to turn on the phone and just look through the contents of the device. Another method would be to take out the storage components and use data recovery tools. This latter one, however, seems a bit far-fetched, especially when you consider that regular Joes are reporting the same data recovery rate as CPP: the former sounds more likely than the latter.
Deleted Data Could Remain Behind
So, how does one reconcile the fact that 30% or so of deleted data seems to just magically reappear on phones? Again, a possible answer is that many people who claim a phone’s data is deleted were possibly lying.
Another possible answer, and a not so obvious one, may be that a phone doesn’t quite do what it’s supposed to do (some might say that’s not surprising) when it comes to data deletion: It could very well be that people used the factory reset function, except that this did not quite erase all the data found on the phone. It’s always advisable for people to go back and check to make sure that deleted data is, in fact, deleted (personally, I do this with computer hard drives as well. Once I run a “data deletion” software, I’ll run a data recovery tool afterwards, just to make sure it worked).
I should note that if CPP had done some advanced testing on the phones using custom-built data recovery tools, they might have found that data recovery rates hover around the 100% mark. That’s because modern phones make use of flash chips for data storage, and it’s been found that it’s nearly impossible to delete data in such a medium.
Full Encryption Allows for Automatic Wiping
Interestingly enough, about the only method that could guarantee total evisceration of data is the one where you’re not actively trying to erase data: automatic data wiping. There’s a caveat, of course. This is only true if automatic data wiping is powered by the use of encryption (which generally is the case).
How does automatic data wiping work? Basically, your device is already encrypted to start with. When you set up your phone for data wiping, the encryption key is deleted after a set number of incorrect password guesses. Because the encryption key is required to read the encrypted content, deleting it means you (or anyone else) cannot read the data in your phone anymore. (In fact, this is one excellent method of turning your devices into an expensive brick if you don’t know what you’re doing.)
Granted, if you can figure out what the key is, you can recover the data. In order to prevent this from happening, encryption keys are made exceptionally long and random, ensuring that a you won’t be able to guess it…unless you’ve got a couple of centuries to spare (24/7/365).
Related Articles and Sites: