Erasing devices is not simply a matter of performing a factory reset. The factory reset process does not always erase the data.
There are two basic components to a secure electronics disposal program:
1. First, all data must be permanently erased from working devices.
2. Second, any device that cannot be erased must be recycled in a manner that protects the data from being recovered at a future time.
Selling devices through auction: Many agencies are surprised to learn that auction sites often do not GUARANTEE the complete erasure of data. Read all terms and conditions carefully. It is common for auctions to use terms like “Certified Data Erasure” or “Secure Data Destruction”, but they employ processes that DO NOT ensure complete data erasure. Some even say so in their user agreement – terminology such as: “we assume no liability” or “we do not guarantee we will erase all data on devices”.
The 911CPB purchased 10 smartphones from a popular online auction site that sells items on behalf of law enforcement and public agency clients to see if there was any data left behind. Many of the smartphones listed on this auction site are sold in “as-is” condition. Devices are listed as “untested due to the fact it does not power on, does not take charge, sold as-is, for parts, may be account or carrier locked”. Remember, untested essentially means uncleared. Note what was found on these 10 devices:
• Two devices were simple feature phones with no user locks. All data on the devices were available.
• Two iPhones were iCloud locked. Data was encrypted and they were unable to recover any data.
• One Android smartphone was unable to be repaired and they were unable to recover any data.
• Three Android smartphones were repaired. These devices had no user lock. Photos, videos, text messages, and contacts were easily recovered.
• Two Android smartphones were repaired. They had user locks, however, after a factory reset, photos (including pornography), videos, text messages, and contacts were easily recovered.
Smashing devices: Some agencies choose to purge the devices in their possession by smashing them. This is not effective, nor is it secure. Secure data-erasure recycling facilities have helped law enforcement recover data from destroyed devices on multiple occasions. The device itself may be destroyed, but the data contained in it is still very much alive.
Environmental standards: Not all devices can be adequately erased. Some will not power on, are damaged, or are obsolete. These devices must be recycled by a certified R2 recycler. An R2 recycler strictly follows both environmental and security standards for the electronic recycling industry.