We worry about our personal information falling into the wrong hands when our phones are in our pockets and our laptops are on our desks. We set up firewalls, craft long, intricate passwords and know not to open email attachments from strange senders. We treat security at first as groundwork, then as maintenance.
Often, when we discard our old devices, we forget they continue to store our whole lives. The detail held in their memory cards and hard drives lies dormant. When it's time to recycle or resell them, some of us don't give much thought to the hardware that still holds mountains of personal information.
"If you send your computer out without wiping it, you may as well write your social security number down and put it down in Central Park," Sean Magann, the vice president of sales and marketing for Sims, an electronic waste recycling company, told Mic.
Yet according to Magann, many consumers either don't understand the dangers or think that simple measures like reinstalling a computer's operating system or resetting a mobile phone to its factory setting are enough.
"It's very alarming," Magann said.
According to the Electronics Recycling Coordination Clearinghouse, a project started by the nonprofit National Center for Electronics Recycling, only 25 states in America have e-waste recycling laws on the books, and not all of them include stipulations about customer data. Magann added that some — not all — e-waste recyclers have certifications in place to protect customer data. This, of course, assumes that discarded electronics end up at recycling plants in the first place; a good deal of them end up on curbs and in trash heaps, where they can fall prey to just about anyone.
For identity thieves in search of personal information, "one [uncleared] hard drive out of 100, it's worth its weight in gold and more," Magann said.
Robert Siciliano, an identity theft expert based in Boston, agreed that many consumers don't understand the risks involved with data removal. "It's not knowledge that is directed toward the layman," he told Mic, comparing it to the general lack of knowledge common to other areas. "There are many things going on underneath the hood of a vehicle that most people who drive cars aren't aware of," he said. "It requires specialized knowledge."
Siciliano told Mic about a small, anecdotal experiment he once performed to test out this lack of knowledge. He traveled around the Boston area and collected 30 second-hand devices, including laptops, desktops, iPods, Blackberrys and iPhones, from eBay and Craigslist, all of which came with the assurance that they'd been cleared of any data — "with the intention of seeing what kind of information I could get off of them." He then turned them over to a friend who was familiar with data forensics.
"We found people's entire digital lives."
"He was able to find information off of 17 of the 30 devices that could equate to identity theft," Siciliano said. "We found people's entire digital lives." The friend uncovered photos, videos, social security numbers, usernames, passwords and addresses.
"You name it," Siciliano said. "Everything you can imagine. It's just the way it goes."
The problem, he explained, stems from a fundamental misunderstanding of what it means to clear data.
"Most consumers, when they engage in resetting a device back to factory [settings], that's the premise — to get rid of all the data, to make it safe so you can recycle it," he said. "Frankly, that's what I used to think. I was just as guilty."
Magann concurred. "People don't get it. [They say], 'Well, I deleted all my files ... it's gone.' From a logical standpoint, it's gone, but forensically, it's still there," he said.
For criminals, unearthing someone's data stash is like winning the lottery. "Thieves are always looking for the least resistance," Magann told Mic. People may be getting smarter about protecting their private information while it's in their possession, but thieves will simply wait until that's not the case anymore. "It's like, if I can't get in the front door, I'll just wait for them to get rid of it," he said.
"Thieves are always looking for the least resistance ... it's like, if I can't get in the front door, I'll just wait for them to get rid of it."
What you can do: Fortunately, there are options out there that will all but ensure your discarded devices don't end up as some fraudster's treasure chest.
There are three primary ways to actually get rid of data: wiping, purging and destroying. Wiping, according to Magann, is better for newer gadgets, because they can still be used afterward. Purging involves hitting a gizmo with a magnetic force, which renders it unusable — "it's like a brick," he said. Destroying, as the name suggests, involves the physical demolition of the object.
"[Wiping] is pretty darn close to an absolute," Magann said. "I would do it for my personal stuff, the Department of Defense would do it to their stuff." But, he cautioned, if you don't do it right, it won't be effective. Wiping can be done at home, as can destroying (grab your sledgehammer and go nuts!), but purging typically requires sending your device to a professional recycling service.
These services aren't just for consumers, either. Businesses looking to get rid of old devices need to be particularly careful about properly clearing data, lest they become liable if someone gets their hands on it.
Luckily, it's not impossible. "It's totally doable," Siciliano told Mic. "It's just a matter of doing your research. It's not rocket science. Most consumers are capable of removing any residual data with the right software. The issue is more taking the initiative to take that action."