Channel 4 pressure mobile phone recyclers to data wipe handsets
On August 25th 2013 The EU amended its data protection regulations resulting in recycling companies no longer being responsible for recycled phone’s data security, thus burdening the liability with the consumers that sell their handsets. So if a hacker buys your phone and retrieves hidden personal data, the recycling company will not be held accountable only the consumer.
Channel 4 has recently investigated how hackers can now freely download police forensic data software from the Internet, allowing them to recovery data from old phones even after they had a factory reset. Channel 4’s reporter Geoff White called it a “wake up call for consumers”, people who recycle their mobile devices must to be more careful than ever regarding the data left behind on their phones.
Business Insider says “One of the biggest concerns within the [electrical recycling] field was when software used by the police called forensic data retrieval was officially made available to the general public.
Software like Oxygen Forensic and AccessData allows anyone to recover data from phones and other mobile devices even after it has been deleted or undergone a factory reset.” As a result of this when selling your phone you need to actively make sure the company you are dealing with provides you with three key things to ensure your data is as safe as possible.
Permanent is the key word here, make sure you settle for nothing less than a Permanent Data Removal (Permanent Data Destruction), anything else leaves your phone susceptible to hacking. By simply deleting, performing a factory reset, reinstalling the software or reloading the firmware, the flat data itself can still be recovered from separate locations within the phone’s solid-state memory.
A factory reset only erases the data’s pathways, not the flat data and reinstalling the operating software will only affect the software, not the data. So make sure before recycling or selling your phone you ask the company for a permanent data removal, which deletes the actual flat data. It’s a longer procedure than a mere factory reset, but it is well worth it for the security alone.
Technology information website Hongkiat said “First thing to do is make sure the [recycling] company give you a serial number and a tracking ID (it should be stated on their website). This means you are able to monitor the process as the procedure happens.”
A unique tracking number is something a phone recycler should give you to keep you informed (step by step) as your phone goes through the permanent data deletion stages. It works similar to a postage/delivery number, you can type it into the company’s online system to track the process whilst it’s in their possession. This should be available to view at anytime from the moment the phone is in the company’s tenure, until the deletion procedure is completed.
A certificate sounds quite trivial, but it is best way to compel the recycling company into a more pressured position of responsibility. It contains all the information regarding the data removal and an official acknowledgment from the company that phone’s data is 100% irretrievable. It will also include the full audit conducted when the phone-data was destroyed.
This certificate will automatically put the onus on the company and if your data still manages to get hacked, regardless of the EU’s statement the recycler’s will be responsible.
British based phone recyclers Bozowi Sell My Phone say “By offering people an official certificate of destruction, recyclers are essentially putting their money where their mouth is. They are taking the responsibility off the consumers, who it never should have been on in the first place. It should be the recyclers who are responsible for data security, we have access to the resources that the average consumer wouldn’t”
It would also be an automatic reputation destroyer if data was still recovered after a recycling company gave you a certificate of destruction and no serious company would risk such incompetence with this much on the line.
So if a consumer does recycle their mobile device, it is recommended that they receive all of the above confirmations from the recyclers before selling them anything.
When you recycle your phone, do you wipe all data?
Comments
3 thoughts on “Channel 4 pressure mobile phone recyclers to data wipe handsets”
Is good to see the media picking up this story. We provide data erasure services of all devices but mobile phones and tablets are still treated as exempt from potential data breaches.
Bozowi Sell My Phone are making an extremely dangerous statement, responsibility for data cannot be passed around purely with a tick in a box. It has to remain the responsibility of the data controller. They even mention Royal mail delivering the items! So do Royal Mail or any other courier accept responsibility for data up until the point of delivery?
This highlights the need to use an accredited specialist rather, if in doubt use an ADISA accredited ITAD. ADISA is recognised by DIPCOG abd any company achieving this standard is able to provide advice on the security of mobile devices.
You’re not taking into account that royal mail do not purchase things, they transport them from A to B. So of course they wont take data responsibility. Phone Recyclers buy devices off people and therefore should have to take some moral responsibility as the new owners.
Also lets not forget that the EU will soon change its regulations, meaning recyclers will have no choice but to be responsible for the debris data on their consumers devices.