In a striking revelation, a recent study by researchers at the University of Maryland (UMD) unveiled that many used cell phones bought through a police auction website contained personal data. This research raises concerns about privacy and security when purchasing used electronic devices.
Police departments generally acquire phones through civil asset forfeiture or sometimes from the airport lost and found. Over several months, UMD researchers bought 228 used phones from PropertyRoom.com, a reseller that collaborates with thousands of police departments.
The research found that many of the phones housed sensitive personal information. The most alarming discovery was that one of the phones used in an identity theft scheme was resold with the complete credit histories of the identity theft victims. Remarkably, the researchers did not use specialized software or tools to break into the phones.
Dave Levin, associate professor of computer science at the University of Maryland and the report’s author, expressed concern about individuals’ lack of basic precautions.
“First off, choose a good pin,” Levin urged. “We found about 20% or so of the phones we purchased had no pin. We turned it on, and it was just unlocked. For the other phones we got into, we guessed the pins because the pins were things like 1234, 6666, these types of things.”
The researchers have notified PropertyRoom.com and committed no longer selling phones containing personal information. However, the company did not respond to requests for further comment.
Addressing this issue with other resellers, such as web outlets or pawnshops, could require legislation. Furthermore, legal action might be required to handle the issue of law enforcement reselling electronics with personal data. Levin, however, argued that the best approach would be for police departments to refrain from reselling phones altogether.
“We didn’t use any of the clever tools and tricks,” Levin pointed out. “Prior work has shown that even when you think you wipe something, it might not wipe something altogether. Not necessarily. We’ve seen that on phones, but the safest thing would have been to destroy the phones altogether.”
Richard Roberts, a doctoral candidate at the University of Maryland and student project lead on the study, shared that many phones contained personal information.
“For over a quarter of the phones, about … 27% that we purchased, we were able to super easily see all of the personal information from the previous person who owned it,” Roberts recounted. “Whether that was texts, phone calls, emails, photos, anything on the phone.”
The implications of this study highlight the urgent need for proper handling and destruction of personal information on used electronic devices. After concluding the study, UMD researchers destroyed the phones, emphasizing the importance of taking security measures seriously when dealing with used electronics.