Used Smartphones Often Hold Past Users’ Data

    Oct 27, 2015

    Gartner predicts the global market for refurbished smartphones will grow to 120 million units by 2017, up from 56 million in 2014. According to Gartner, just 7% of old smartphones are sent to recycling programs. The majority – 64% – are reused, with 41% being traded in or sold privately and about 23% handed down to other users.

    Recycling is not necessarily a bad thing; however, in this case, it may be risky. While data creation today is as simple as sending a text message or taking a photo, deleting that data is not always as easy.

    Recent research conducted by Blancco Technology Group and Kroll Ontrack studied the prevalence of data “ghosting” on resold devices and found that more than one-third of secondhand smartphones contain information created by past users.  

    According to that survey, “In an examination of 122 pieces of second-hand equipment, 48% of the hard disk drives and solid state drives contained residual data, while thousands of leftover emails, call logs, texts/SMS/IMs, photos, and videos were retrieved from 35% of the mobile devices.”

    In addition, the research found that 57% of used mobile devices and 75% of used hard drives purchased from Amazon, eBay, and Gazelle had previous unsuccessful deletion attempts.

    These figures are worrisome, given the growing secondhand marketplace for used devices and even more so within the context of increasing BYOD-policy prevalence, Legaltech News said. For example, without secure management of BYOD-enabled devices, data contained on resold employee devices may escape from company-secured networks.

    “Whether you’re an individual, a business or a government/state agency, failing to wipe information properly can have serious consequences,” Paul Henry, IT security consultant for Blancco, said in an announcement. “One of the more glaring discoveries from our study is that most people attempt in some way or another to delete their data from electronic equipment. But while those deletion methods are common and seem reliable, they aren’t always effective at removing data permanently and they don’t comply with regulatory standards.”

    The survey also reveals that on 11% of the devices reviewed, only basic delete functions were performed before the device was resold. Researchers also found that often-used “quick-formatting” processes are unreliable, having been performed on 61% of the drives with data still present. 

    Needless to say, these survey results should capture the attention of records and information management professionals – on both a personal and corporate basis. Several concerns come to mind and should be addressed in your organization’s policies and procedures:

    • BYOD policies – Does your BYOD policy address the segregation of personal and organizational information? Does the organization have the technology capability to manage this segregation and to enable deletion of organizational information while retaining the personal information?
    • Employee separation practices – Is your human resources department collecting company-owned phones and other portable devices as part of the exit procedure? How does the BYOD policy address the segregation of personal from organization information?
    • Organization-owned devices – Does the policy allow for recycling or selling used devices when replacing them? Does IT wipe data from the devices or does it rely on a third party? What process and checklists are used in the process?

    The ARMA International technical report Mobile Communications and Records and Information Management (ARMA TR 20-2012) provides a useful checklist of policy and procedure considerations when implementing a mobile device program. This publication is available for purchase through the online store at


    © 2016, ARMA International