The money is tempting when it is for stuff that is gathering dust on your floor. An iPad 3 will bring you maybe $100. An iPhone 5 perhaps $50. A BlackBerry Z10 brings a sawbuck. A Google Nexus 7 tablet is good for $5. But is it safe to sell smartphones, tablets and computers? Are you setting yourself up for identity theft?
We are talking devices you don’t use. Maybe those you haven't touched in a a couple years. That stuff lying dormant in drawers can be alchemized into cash quite quickly by virtue of the Internet's efficiency. And even $5 buys a bagel and a coffee. With $100, you have the dough for dinner for two at a good ramen counter (with beer!). All for stuff you have no use for. And yet there are many others who want this equipment. Some are abroad, others are on tight budgets in the U.S.; either way it is a rare piece of technology that cannot be sold at eBay, Craigslist or focused resale sites such as Gazelle.
But then there is the problem of all the data on the device. There are passwords, log-ins and lots more for online banking, PayPal, Gmail, and down a long line of the services and sites we routinely access on mobile phones and with tablets.
Can you wipe it before selling? That is the money question and, yes, pretty much every phone and tablet comes with instructions on how to wipe. (On iPhone 6, go to SETTINGS, Reset, Erase All. On Nexus 6, go to SETTINGS, Backup & Reset, Factory Data Reset.) Computers, too, generally come with hard drive reset instructions.
“Couple years back, I bought 30 laptops, desktops, netbooks, notebooks, tablets, Macs and mobiles through Craigslist," said Robert Siciliano, identity theft expert with BestIDTheftCompanys.com. "Of the 30, three of them had never been wiped, meaning that I bought the devices exactly as they once sat on someone’s desk. The original owners had made no effort to clean out the data, which meant that I was able to access the records of their entire digital lives. 27 of the devices had been wiped. Of the 27 wiped drives, 17 contained remnants of the previous users’ digital lives. Despite the effort made to reformat or reinstall the operating systems, there were partitions and leftover data on the drives.”
Siciliano is saying that on 27 devices that had been wiped he nonetheless was able to find meaningful data remnants on 17, almost two in three. He also said 10% of the devices had not been wiped at all, despite how easy it is to do.
Similar has been reported by Blannco Technology Group, which said that in a study it found “varying amounts and types of residual data on used mobile devices, hard disk drives and solid state drives purchased online from Amazon, eBay and Gazelle. Based on an examination of 122 pieces of second-hand equipment, 48% of the hard disk drives and solid state drives contained residual data, while thousands of leftover emails, call logs, texts/SMS/IMs, photos and videos were retrieved from 35% of the mobile devices.”
Blannco added: “it was discovered that a deletion attempt had been made on 57% of the mobile devices and 75% of the drives that contained residual data.”
Yes there's a risk, but what if you still want the money? Maybe you can get it - if you proceed with real caution.
“I sell my old stuff all the time," said Chad Taylor, a manager at ABT Electronics, a big retailer in Illinois. "But I am very careful. With phones and tablets, I always make sure that I wipe the phone using the factory restore application several times. And with my computers I pull the hard drives before selling them. I might not get as much for them because the hard drive is not in the computer, but I do not worry about my personal information being recoverable after I sell my device.”
Jonathan Voris, an assistant professor of computer science at New York Institute of Technology, offered more tips. On phones and tablets, he said encrypt the data (which happens by default on an iPhone when you set up an PIN). Encryption makes data vastly harder to decipher, even for many police and government agencies.
The second tip from Voris: even after running reset and wipe routines a few times, go an extra step and “repeatedly write new data which is not sensitive, such as pictures, songs, and other media files.” Why? Those big files will overwrite stray data on the device, probably putting it beyond retrieval.
A tip from multiple experts - before wiping, click through sensitive apps - from PayPal to Skype - and log off the service on that device. Where possible, disconnect the device from key services.
Will doing all this keep you safe? Most experts believe, yes, probably. But nobody is saying guaranteed.
That means this is your call. Know the risks - however small they may be - and the choice is yours.