According to tests carried out by researchers at the University of Hertfordshire (UK), nearly two-thirds of memory cards bought used from eBay, offline auctions, and second-hand shops were improperly wiped. That is, the researchers were able to access images or footage that were once saved to these electronic storage units… even if they were deleted.
Free and Easy to Use Software
Popular media would have you believe that extracting such information requires advanced degrees in computers as well as specialized knowledge and equipment. These would certainly help; however, the truth is that an elementary school student would be able to do the same. The researchers used “freely available software” (that is, programs downloadable from the internet) to “see if they could recover any data,” and operating such software is a matter of pointing and clicking.
In this particular case, the recovered data included “intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents.” According to bleepingcomputer.com, of the one hundred memory cards collected:
- 36 were not wiped at all, neither the original owner nor the seller took any steps to remove the data.
- 29 appeared to have been formatted, but data could still be recovered “with minimal effort.”
- 2 cards had their data deleted, but it was easily recoverable
- 25 appeared to have been properly wiped using a data erasing tool that overwrites the storage area, so nothing could be recovered.
- 4 could not be accessed (read: were broken).
- 4 had no data present, but the reason could not be determined
Deleting, Erasing Wiping… Not The Same
Thankfully, it appears that most people are not being blasé about their data. They do make an effort to delete the files before putting up their memory cards for sale. The problem is, deleting files doesn’t actually delete files. (This terminology morass is the doing of computer software designers. Why label an action as “Delete file” when it doesn’t actually do that?)
The proper way to wipe data on any digital data medium is to overwrite it. For example, if you have a hard drive filled with selfies, you can “delete” all of it by saving to the disk as many cat pictures you can find on the internet (after having moved all of the selfies to the trash/recycle bin on your desktop). This is analogous to painting over a canvas that already has a picture on it, although the analogy breaks down somewhat if one delves into technical minutiae.
Incidentally, this is why encryption can be used to “wipe” your drive: Encryption modifies data so that the data’s natural state is scrambled / randomized. When an encryption key is provided, the data descrambles so that humans can read it. Once the computer is turned off, the data returns to its scrambled state. So, if you end up selling a memory card with encrypted data but without the encryption key, then it’s tantamount to offering for sale a memory card that’s been properly wiped.
More of the Same
This is not the first time an investigation has been conducted into data found on second-hand digital storage devices. As the bleepingcomputer.com article notes, similar research was conducted in the past:
A study conducted in 2010 revealed that 50% of the second-hand mobile phones sold on eBay contained data from previous owners.
A 2012 report from the UK’s Information Commissioner’s Office (ICO) revealed that one in ten second-hand hard drives still contained data from previous owners. A similar study from 2015 found that three-quarters of used hard drives contained data from previous owners.
And these are but a small sample of the overall number of similar inquiries over the years.
The world has seen more than its fair share of privacy snafus, be it a data breach or otherwise. Despite the increased awareness on data security and its importance, the fact that we’re still treading water when it comes to securing data in our own devices could signify many things:
- People don’t really care, even if they say they do.
- No surprises there.
- We are too focused on spotlighting the problem and failing in highlighting the solution.
- News anchor: “Yadda yadda yadda…This is how they hacked your data. Be safe out there. And now, the weather.” Be safe how? What do I do to be safe?
- People interested in preserving their privacy do not sell their data storage devices; hence, studies like the above are statistically biased to begin with.
- Essentially, researchers are testing the inclinations of people who don’t really care about privacy or don’t care enough to really look into it (a quick search on the internet will show you how to properly wipe your data).
- Devices sold were stolen or lost to begin with, so the sellers do not have any incentive to properly wipe data.
Whatever the reasons may be for the continued presence of personal data on memory storage devices, regardless of how much more aware we are of privacy issues, one thing’s for certain: It’s not going away.