Consumers are overwhelmingly concerned about their personal data, and most of them try to delete it before selling or recycling their devices, according to new research.
Researchers from the universities of Guelph and Waterloo in Ontario this month presented “Concerned but Ineffective: User Perceptions, Methods and Challenges when Sanitizing Old Devices for Disposal.” The research paper was presented at a symposium on privacy and security on Aug. 9-10.
In the study, the authors probe a variety of consumer behaviors related to selling or disposing of their devices.
“We explore users’ decision-making process starting from when they no longer need a device to discover any difficulties or misconceptions they may have in regards to sanitizing their devices,” the paper states.
The researchers examined smartphones, computers, hard drives and more. They surveyed 131 people and interviewed a subset of 35 respondents.
Concerned consumers try to remove their data
Only 11 of the 131 respondents said they didn’t try to remove any personal data before disposing of a device. Of those who attempted data removal, 62% used a “factory reset” function on the device and 25% used manual deletion of some or all the device’s data. Other respondents used a tool that would zero-fill – a method of formatting – or otherwise securely erase the data storage.
All but one of the 131 respondents said they were at least somewhat concerned about the possibility of an “untrusted individual” having the ability to access their data on an old device. A majority of respondents reported having the highest level of concern about that possibility.
A handful of respondents said they rely on the device processor or marketplace for data destruction.
“I was going to remove some data but it got way too inconvenient to try and delete everything before returning it for a trade-in,” one respondent stated, according to the study. “I think they delete everything there.”
Another key data point demonstrates that data deletion doesn’t always happen: The researchers asked survey participants whether they had ever purchased a used device that contained personal data from the prior owner. Of the 35 interview respondents, 12 people reported finding the previous owner’s personal data on a device they’d purchased, including photos, documents and login credentials.
Of those dozen respondents, four bought the devices from major electronics retailers.
“I had bought an open box laptop from [a major retailer] that had a lot of someone’s files like photos and documents,” one respondent stated in a quote included in the study. “Their OneDrive account was also logged in on the desktop.”
What the sector can communicate
The study makes some recommendations to companies that bring in used or end-of-life devices. The researchers said these operations should better communicate their data-destruction practices to the consumers.
“When accepting used devices, retailers should provide information about how devices will be sanitized, potentially information about the data erasure standard that will be followed,” the researchers wrote.
The study added that 94% of the interviewed respondents either somewhat or strongly agreed that used device marketplaces should explain the risks of selling used devices and should provide tips on data sanitization. The researchers discussed the trade-offs of such communication.
“While arguably these marketplaces have an ethical responsibility to inform the sellers about potential risks and ways to sanitize their devices, the economics of this action needs more investigation,” they wrote. “On the one hand, transparency about such risks may stop sellers from selling their devices and on the other hand, with the availability of information on how to sanitize the devices, more people may be willing to sell their used devices.”
