It's almost impossible to get rid of personal information from some devices, even if you follow the manufacturer's directions for wiping the device clean.
Android phone users should not resell their phones if they want to protect their personal data, a security expert says. Above, the Samsung Galaxy Nexus phone. (Jerome Favre, Bloomberg / October 19, 2011)
Thinking of selling or giving away your smartphone or laptop computer? If you have a BlackBerry or an iPhone, go right ahead. But if you have an Android phone or a computer running Windows XP, you may want to hold off.
It turns out that it's almost impossible to get rid of personal information from some devices, even if you follow the manufacturer's directions for wiping the device clean.
Robert Siciliano, identity theft expert for the technology security firm McAfee, found this out in an experiment he conducted over the fall and winter. He bought 30 electronic devices from Craigslist — mostly smartphones and laptops — to see how effective people were at removing personal information from their gadgets before selling them.
Siciliano was shocked to discover that some people didn't take any security precautions at all before selling a computer.
"One guy asked me to log him out of Gmail if he was still logged in," Siciliano said. "I had no idea how naive some people can be."
In the end, Siciliano was able to glean personal data from 15 of the devices through his own hacking efforts and the help of a forensic expert. That information included bank account information, Social Security numbers, child support documents, credit card account log-ins and a host of other personal data.
And the worst part? Most of those phones and computers had already been "wiped" by their previous owners — meaning all personal files had been deleted and the user had restored the device's factory settings as per the manufacturer's instructions.
"What's really scary is even if you follow protocol, the data is still there," Siciliano said.
So, what's the difference between the devices that still reveal personal information after being wiped and those that don't?
Siciliano said it came down to the type of device and the operating system.
BlackBerrys were totally impenetrable. "RIM has fantastic software," he said. "They did a really good job of destroying data when you reset the factory settings."
Devices running iOS, such as the iPad and iPhone, and computers running Windows 7 can also be wiped clean of personal data, as long as a person follows the manufacturer's directions.
If you have a BlackBerry, Apple device or computer running Windows 7 you'd like to sell, Siciliano recommends backing up your information first and then following the manufacturer's directions for restoring its factory settings.
If you've misplaced the little booklet that came with your device you can find directions by typing "wipe BlackBerry" or "wipe iPad" into Google search, which should take you to BlackBerry- or Apple- sponsored Web pages with detailed instructions.
Don't think that your data are safe if you remove the SIM card from a phone. The only information you will protect that way is your contact list, but all other personal information will still be available on your phone.
If you are planning to buy one of these devices secondhand, Siciliano suggests that you wipe it again just to be safe, and also that you run an anti-virus program on it as well.
As for smartphones running the Android system and computers running Windows XP, Siciliano said he recommends people don't sell them at all.
"Put it in the back of a closet, or put it in a vise and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it," he said. "You don't want to sell your identity for 50 bucks."