Think your electronic device is safe to re-sell? Think again.
New University of Guelph research finds many of us may be inadvertently leaving our sensitive data on the thousands of cellphones, laptops and other electronic devices we discard every year.
Led by computer science professor Dr. Hassan Khan, the study found that at least a quarter of those who recently discarded a device used insecure methods to erase their data — often because they didn’t understand how to do it properly.
Many more chose to simply hold onto used or broken devices, not quite sure how to get rid of them safely, adding to recycling woes.
Given the explosive growth of electronic devices in the past decade and how quickly many of us upgrade to new ones, it’s important that users understand how not to leave sensitive data behind, said Khan.
“There are many reports of people who have found unusual images or info on devices they bought second-hand,” he said. “Although several previous studies have estimated the scope of the problem, this study is the first to investigate this from the users’ perspective to understand their decision-making processes.”
The research is due to be presented at the Seventeenth Symposium on Usable Privacy and Security, taking place virtually Aug. 8–10.
Khan and master student Jason Ceci, along with colleagues Drs. Urs Hengartner and Daniel Vogel of the University of Waterloo’s Cheriton School of Computer Science, surveyed 131 people who had recently listed an item for sale on an online marketplace, such as Kijiji.
They then conducted further interviews with about half the survey respondents about some of their decisions.
They found that when users stopped using a device, a full 73 per cent chose to simply hold onto at least one device due to privacy concerns.
When respondents did get rid of devices by selling or giving them away, recycling or returning them to their provider, only 62 per cent used the proper, built-in “Factory Reset” function to erase their data.
Another 25 per cent used an insecure method, such as manually deleting some or all of files, while 8 per cent chose not to remove their personal data at all.
“A factory reset is really the best way to remove your data,” said Khan. “But many users choose to just delete their files, not realizing that these files could be easily recovered.
“When we manually delete a file, the file is still there; only the record for how to access that file is deleted. It’s like if we took off our house numbers and removed our street signs. Our house would be harder to find, but it would still be there.”
Without a factory reset, a user’s browser history or saved passwords could remain on the device along with all their data, he added.
Of those who used unsafe methods to remove data, many said they were confused by misleading data deletion prompts.
For example, when users empty the “recycle bin” on Microsoft Windows, the prompt reads: “Are you sure you want to permanently delete all of these items?” — leading many to believe this is a secure method of file deletion.
More needs to be done to educate users on how to safely erase data, but device manufacturers and retailers have a role to play as well, said Khan.
“Misleading prompts are not helping. Artificial Intelligence techniques could be used to detect when users are disposing of their device, such as when users are manually deleting data across the device, and then guide them to perform a secure procedure. And retailers who accept used devices for resale or recycling should be transparent about how they will sanitize the devices.”
The research was funded through a grant from the Natural Sciences and Engineering Research Council of Canada.
Dr. Hassan Khan