secondhand memory cards

Two-thirds of secondhand memory cards sold to the public still contain personal data from their previous owners, according to a recent study conducted by the University of Hertfordshire and commissioned by Comparitech.

The team purchased and analyzed 100 used SD and micro SD memory cards from eBay, conventional auctions, secondhand shops, and other sources over a four-month period. They created a forensic image—a bit-by-bit copy—of each card, then used freely available software to recover data. The majority of cards were used in smartphones and tablets, but devices also included cameras, SatNav systems, and even drones.

In those 65 cards that still contained data, researchers unearthed troves of personal information and sensitive materials. Intimate photos, passport copies, selfies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and important documents are just some examples of the data left behind.

Such information could be used by criminals for any number of purposes ranging from blackmail to identity theft.

Here’s the breakdown of the 100 cards included in the study:

  • 36 were not wiped at all—neither the original owner nor the seller took any steps to remove the data.
  • 29 appeared to have been formatted, but data could still be recovered “with minimal effort.”
  • 25 appeared to have been properly wiped using a data erasing tool that overwrites the storage area, so nothing could be recovered.
  • 4 could not be accessed (read: were broken).
  • 4 had no data present, but the reason could not be determined.
  • 2 cards had their data deleted, but it was easily recoverable.

The cards’ storage space ranged widely from 128MB all the way up to 128GB:

A growing problem

The report authors emphasize that the problem of remnant data on secondhand devices will only worsen without more effective public education.

“The problems arising from the disposal of memory cards are likely to increase as the capacity of the cards and the range of devices using them continues to increase,” the report reads. “Greater memory storage allows for greater volumes of personal and sensitive data to be exposed.”

Not only will the amount of data increase as time goes on, so too will the diversity of that data. The report states, “For example, satellite navigation systems (SatNav) data can be used to determine the home location of the user, and also the routes that they regularly use and locations that they have identified as being of interest, which may include their place of work and the homes of family and friends.”

The authors propose repeating the study periodically in subsequent years, although they do not specifically state they will be the ones conducting such future studies.

Although storage demand will continue to increase, that storage won’t necessarily exist on end user devices in the long term. As broadband speeds increase and memory gets cheaper to manufacture, remote cloud storage could mitigate the amount of personal data we save directly to our devices.

Raising awareness about remnant data

Public exposure of personal information has been a hot topic for the media and various governments over the past decade. But despite the rise in privacy awareness, data security risks from remnant data are being ignored, says the report. The authors lay the blame at the foot of consumers, manufacturers, and resellers of storage media.

While governments often publish good advice on how to clean memory cards prior to resale or disposal, the study says such information “was not necessarily easy to find” in the UK. Despite that, a quick Google search for how to erase data from a storage device returns a wealth of other guides and tutorials, so consumers are not at a loss for advice.

“It is difficult to understand why so many users still fail to remove the data on the media that they are selling as there is widely available software (both proprietary and free) that can be used for the secure deletion of data prior to resale,” the report states.

“[Sellers] are either not responding to the warnings or are disregarding them. While the sellers had, in some cases, claimed prior to sale that the media had been formatted or wiped, in other cases they had included a disclaimer saying that there may be data present and that they buyer should remove it.”

The authors note that manufacturers of memory cards and the devices that use them ought to be more proactive in educating users on proper data removal and disposal. “Given the short life cycle of current digital devices, with users regularly replacing and upgrading their mobile devices, it is perhaps an omission that better advice on data disposal tools (factory reset options or encryption) and advice are not issued by the original vendors.”

The report concludes, “It is evident from this research that the end users of these memory cards are still not well enough informed of the dangers of not ensuring that data has been properly erased when disposing of media that has been used in personal devices and that the users do not take the appropriate actions to remove data from the media permanently before they dispose of it.”

How to securely wipe a memory card

As exemplified in the report (PDF), often the problem is not that people don’t wipe their SD cards; it’s that they don’t do it properly. Simply deleting a file from a device only removes the reference that points to where a computer could find that file in the card memory. It doesn’t actually delete the ones and zeros that make up the file. That data remains on the card until it is overwritten by something else.

For this reason, it’s not enough to just highlight all the files in a memory card and hit the delete key. Retired cards need to be fully erased and reformatted—a “quick” format might not get the job done.

Check out our guide if you’d like to learn more about how to securely wipe any external memory device, such as an SD card, USB flash drive, or external hard drive.

8 bytes vs 8GBytes” by Daniel Sancho licensed under CC BY 2.0