Who’s looking at your pictures right now? If you’ve ever sold a used cellphone, it’s likely a complete stranger has sifted through your most intimate memories.
Recently Prague-based security firm Avast made news when they bought 20 used Android phones off eBay, then used basic recovery software to restore deleted files on them. In the process the analysts found more than 40,000 stored photos, out of which 1,500 were pictures of children. The Avast blog also states that they retrieved “More than 750 photos of women in various stages of undress” and “more than 250 selfies of what appear to be the previous owner’s manhood.”
In this age of smart phones and incessant social networking, where the lines between public and personal lives are blurred, we are unequivocally vulnerable. Ironically, at the same time, we have never been more careless with personal information.
ADVERTISEMENT
Jaromir Horejsi, malware analyst at Avast Software says the experiment began when an employee accidently erased his phone’s memory, then found that he was able to resurrect all his files with a “little searching and an inexpensive purchase”. That made him wonder how many other people consider their data permanently gone, when it’s still retrievable by anyone who gets hold of your phone.
Horejsi says, “As the old saying goes, a picture is worth a thousand words. Now add private Facebook messages that include geo-location, Google searches for open job positions in a specific field, media files, and phone contacts. Put all of these pieces together to complete the puzzle and you have a clear picture of who the former smartphone owner was. Stalkers, enemies, and thieves can abuse personal data to stalk, blackmail and steal people’s identities.”
For a generation that’s grown up with technology, we know astonishingly little about how it works. “For years lots of bloggers, including me, have been screaming to people that their data is not safe. Especially with androids where factory reset simply deletes the top layer,” says Karthik Kamalakannan, a tech writer who also works on developing android, iOS and web applications for the future. Avast compares it to deleting the index of a book — so pointers are removed, but chapters remain. “It’s like sticking a clean paper over it,” says Karthik, adding “so information never gets erased. It just gets overwritten.”
ADVERTISEMENT
While Avast’s experiment also uncovered 750 emails, 250 contact names and one completed loan application, the main reaction — from media and the public — was horror at the idea of explicit selfies going public. This, by the way, isn’t the first scare related to cell phone selfies. Over the past couple of years ‘revenge porn’ has been getting attention. This is sexually-explicit media — a majority of which are selfies — shared online along with personal information, without the consent of the pictured individual. (It’s typically uploaded by an ex- partner or hacker).
Fifteen years ago, this might have worried a niche group of people. Today, if you’re under 30 years of age, it’s about 50 per cent of the people you know in the same age bracket. A set of interviews done with college students and young professionals pegged the number higher, with many of the girls saying that at least eight out of 10 of their friends have taken intimate selfies to send to their boyfriends. One student said it’s become especially common with Snapchat. Some said they take at least one a day. (It seems more frequent with people in long-distance relationships.)
Despite the Avast story, all were still fairly casual about taking these pictures, with one respondent saying, “I think to a large extent, when you take pictures of yourself, a part of you knows there is a risk of someone else seeing it or making a copy of it.” The common solution seems to be a “chin and below” code.
All the people interviewed said they change their phone at least once a year — usually by exchanging it for a newer model. Old phones are sold after erasing the pictures, and a ‘factory reset’. Discussing how important it is to ensure your information is safe, Suresh Jumani who runs Chennai-based Mobile Zone store, cautions against simply looking for the cheapest deal, as in many big multi-brand outlets a large number of floating staff handle old phones. “We have seen people hand in phones without even logging out of Gmail, Whatsapp or Facebook,” he says, going on to discuss how his staff are instructed to do a proper master re-set, ensure the data is over-written and then reformat the phone before selling it to another customer.
Androids tend to be more problematic than iPhones which automatically overwrite data with a factory reset. As an additional precaution Jumani keeps a ledger listing names of the customers so they know who bought and sold each phone. “Chennai’s got the maximum churn rate,” says Jumani, “People change their phones once in eight months, on average, as opposed to Mumbai and Delhi where it’s once a year. The old phones are often bought by students, some of whom sell them again.” So in a lifetime a phone can have anything from one to 10 owners.
Robert Siciliano, an Identity Theft Expert with Hotspot Shield conducted an experiment similar to Avast’s in 2012 when he bought 30 mobile phones and laptops from Craigslist and recovered personal data from 15 devices. Discussing how the “public is blissfully unaware of the risks posed with their personal information leaking,” he says he’s also been guilty of selling old devices but will never do that again. If you’re selling your phones he suggests you “seek out software that promises to rid the device of any data beyond a factory reset.”
Or, do what he now does to make sure you’re absolutely safe. “Old phones should be destroyed. With a hammer.”