Salient lesson on deleting data on devices

July 15, 2014 |

A constant problem in the digital age is deleting data stored on digital devices. Computers, photocopiers, scanners, printers and smart phones have, to a greater and lesser extent, storage capacity.  They are devices that are readily turned over, sometimes for resale.  Personal information stored on those devices is as much the responsibility of an organisation if it is covered by the Privacy Act or state legislation.  Documents are regularly photographed by smartphone and documents can be emailed to a device.

In Security Firm Manages To Access Deleted Data On Used Android Devices Red Orbit reports on data being retrieved from used Android devices.

It provides:

If you tend to take selfies of an amorous or suggestive nature, you might want to think twice before selling your old smartphone, as one prominent computer security firm cautions that not even wiping the device’s data and performing a factory reset guarantees that your old files and personal information will be inaccessible to the new owner.

In a blog entry posted last week, Jude McColgan of Avast Software explained that the company purchased 20 used Android smartphones through an online auction website, then used “simple and easily available” recovery software to gain access to a truly astonishing amount of deleted files, including over 40,000 stored photographs.

Among the pictures the firm recovered, said Alice Truong of Fast Company, were more than 1,500 of children, over 750 of women who were “in various stages of undress” and about 250 that were male nude selfies. In addition, they recovered over 1,000 Google searches, more than 750 emails and text messages, the identities of four previous phone owners and even a completed loan application.

“The problem arises because the factory reset function, found in the Settings function, doesn’t actually wipe the data from the storage on the phone. Instead, it wipes the index that points to the locations in the storage where the data is written,” explained Charles Arthur of The Guardian.

In most cases, that is enough to prevent a nosy individual from accessing the data on a newly acquired used smartphone, he added. However, Avast was able to use forensic tools in order to directly access storage areas and reconstruct photos and other files – unless you use Android’s built-in disk encryption function first.

As ArsTechnica Reviews Editor Ron Amadeo explained on Wednesday, “Android has a built-in disk encryption feature that can be turned on by going to settings, security, and ‘encrypt phone.’ … After the encryption is done, then you can hit the factory reset button, and your device will be more secure than the standard factory reset.”

The process will take a while, he noted, but it is far more secure. While the files will still be present on the device, they will be encrypted, and the encryption key will be destroyed by the factory reset. As a result, the phone has no way of decrypting and reading them, making it all but impossible for unsavory types to gain access to your data.

Furthermore, in a statement sent to Amadeo following the publication of his initial report, Google said that Avast’s research “looks to be based on older devices and versions and does not reflect the security protections in Android versions that are used by 85 percent. If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years.”

Apple-device owners have no cause for concern, Arthur said, as newer iPhones and iPads use the AES 256 algorithm to encrypt data, as well as a software key generated using information from the owner. When it comes time to sell an iOS phone or tablet, and the owner opts to “erase all content and settings,” it also deletes the cryptographic key – meaning that the information remains on the phone, but is “encrypted beyond any capability to decode it.”

One Response to “Salient lesson on deleting data on devices”

  1. Salient lesson on deleting data on devices | Australian Law Blogs

    […] Salient lesson on deleting data on devices […]

Leave a Reply