A recent study of BlackBelt revealed that data deletion or factory resetting does not fully remove personal information recorded on the phones. This issue becomes a problem when talking about phone recycling when devices get to the second owner. With employees using phones for both business and personal purposes the issue becomes even more important.
A mobile phone security firm in UK, BlackBelt, investigated if the users adequately remove data from their old phones before recycling them to friends, family, or strangers. Together with YouGov it surveyed more than 2000 UK adults. The results showed that 25% of respondents have knowingly owned a second-hand or refurbished device. One third of them found previous owner‘s contacts, photos or other personal information on the recycled phone.
Even though mobile phone users understand that in order to protect their privacy they must clean the device before giving it to anyone else, they do not do it effectively. The study showed that 59% of those who gave their phone to the second user, manually deleted data, 72% removed SIM card, 50% performed a factory reset. Yet when asked if they believe these actions were enough, only 26% agreed that that manual deletion completely wipes data whereas 37% believe a factory reset is enough.
Experts explain that removing data from a mobile device is not that easy because of the wear leveling technique used to promote the life of solid state memory. Solid state has a limited lifetime. Wear leveling is used to increase it by distributing the memory usage the way that no single area gets overused too quickly, and by minimizing data overwrite. Subsequently a full removal of personal data is not possible using a device’s in-built factory reset or by re-flashing the operating system. The data that hasn’t been overwritten is relatively easy to recover.
The latter hypothesis was tested with old phones. The owners were asked to wipe them and then the devices were taken to AccessData, a company that sells phone forensic software. Such information like email data, documents, photos, contacts, and a geographic history based on WiFi access points were recovered. For the data to be protected one can choose between two solutions: the first, suggested by Wired, is a hammer; the second, suggested by BlackBelt, is specialist software to destroy phone data.