5 On Your Side

Nude photos, private emails: What's hiding on your old phones?

Posted May 20, 2013

— Statistics show people replace their cellphones, on average, every 18 months, according to the U.S. Environmental Protection Agency.

Of the more than 1.2 billion cellphones in use worldwide, many contain private information – such as pictures, text messages, emails and bank data – even after the phones are discarded, recycled or sold.

The 5 On Your Side team gathered old phones that had been tossed into area recycling bins, accessible to the public, and asked a Raleigh-based digital forensic expert to see what information he could extract from the phones.

“There is literally enough on some of these phones to stalk someone from where they work to where they live to where their kids go to school,” said Lars Daniel, a certified digital forensics examiner and forensic artist with Guardian Digital Forensics.

Daniel retrieved hundreds of contacts, text messages, emails and a few compromising photos during his first, cursory review of the phones. Many phone photos now embed geo-location data that pinpoints exactly where the photos were taken, which is “quite frightening,” according to Daniel.

“This person took multiple pictures of themselves posing nude. You can see who they were sent to,” he said. “You could post those pictures on (the woman’s) Facebook account. You could put them on Pinterest. You could put them on Twitter. You could put them anywhere that will allow you to post photos.”

Most of the information Daniel found was easy enough for the average person to access. Then, using data recovery tools anyone can download for free on the Internet, he found more concerning information on one man’s phone.

private cellphone info Private info can remain after cellphones discarded

“We were able to recover email addresses – his email addresses, his friends’ email addresses – his Skype account information, his dog’s name, his interests – such as that he plays Dungeons and Dragons – where he works, his shifts at work based on his calendar. We have access to his Gmail account, so we can read and view all of his emails,” Daniel said.

“We also have access to his Twitter account, so we can go in and post things … recent locations where he was based on GoogleMaps and also access to his Dropbox account, which is a cloud-based storage system for your files,” he added. “But since it's already connected to the phone, we can access his files without needing his username or password.”

Daniel said he also found “very interesting conversations between what look like bookies and gambling” on another person’s phone.

Discarding a phone with private information on it can be unsettling, according to Daniel, but how that information is used, if found, can be personally and financially devastating to the original owner.

“I could send someone's wife an email if I got one of these phones, asking for information such as, ‘I forgot your Social Security number. I forgot the password to our bank log in,’” he said.

To delete private information before discarding a phone, Daniel suggests going into the phone’s settings and using the factory erase or factory wipe feature (the factory reset feature does not always delete information). Then, open the back of the phone and take out the battery, SIM card and SD or micro SD card, if the phone contains them, and discard those separately.

Those who have critical information on their phone, such as business or financial data, should go to the phone’s carrier to get it wiped clean.

“It's a great thing to recycle. It's not a great thing to give away your personal information,” Daniel said.

Pam Swanstrom gave her old phones to 5 On Your Side for testing. She wanted to sell her old iPhone but was uneasy about what personal information might still be on it and some of her older phones, even though she used the factory erase feature.

“Any kind of personal data, credit card information, passwords, anything like that – that could be a problem,” she said.

The 5 On Your Side team took Swanstrom’s phones to Daniel to see what he could dig up.

“Nothing was recoverable. It was completely clean,” he said.

“Really? That’s awesome,” Swanstrom said. “I am going to put it on eBay.”

Daniel also examined phones from an area pawn shop, as well as old phones from 5 On Your Side’s coworkers and friends who believed they had stripped their phones clean. All of the devices had been erased properly, Daniel said.

How to protect your phone if it's lost, stolen, ruined

Consumer Reports estimates that, in the past year, more than 7 million smartphones were lost, stolen or ruined. Researchers found that 40 percent of smartphone users did not take any precautions to protect their information, such as backing up their data or setting a screen lock.

For those who do set a screen lock, Consumer Reports suggests making the password longer than four numbers. Instead, set a longer pass code with letters and symbols.

Android phones let you do it by going to "settings," but then each phone is a little different. On one, choosing "security" and then "screen lock" gets you to the password reset. On another, you can choose "lock screen" and then "screen lock" to change your password. It just depends which phone you have.

With iPhones, it's even trickier. Under "settings," choose "general" and "pass code lock." Check that the "simple pass code" is turned off. Then choose "turn pass code on." Now, you can enter your longer pass code.

Smartphone users should also beware of applications that ask for permission to do too much, such as a simple flashlight app that asks for the phone user's location and information about calls.

Consumer Reports says free apps could be selling your identifying information. A variety of parties, including Apple and Google, which offer apps for the iPhone and Android, may be able to collect enough information including your phone's location and its unique ID to track your activities.

Users should also beware of free WiFi. Millions use the connections for financial transactions, making it easy for someone else to grab your information. 


This story is closed for comments.

Oldest First
View all
  • HomeBrewDude May 22, 2013

    There is a difference between deleting and "wiping". The BlackBerry has a built-in secure erase functionality that overwrites the deleted information so it cannot be restored. The SD card can be pulled and re-formatted in a desktop/laptop as dcatz states but many devices do not have SD cards these days (iPhone) so you have to perform a secure erase using the device.
    The built in “Erase all Content and Settings” function (found in the Settings app, under General → Reset) should be sufficient in virtually all cases.

    The 3GS and later iPhones, 3rd generation and later iPod Touches and all iPads use hardware encryption, where all data is stored encrypted in their flash memory. On these devices the wipe function simply deletes the encryption key, rendering the data not much more useful than random noise. On devices without hardware encryption, the wipe function overwrites the entire user partition with ones. This is more secure with flash memory than doing the same on a hard dr

  • gobbledygook May 22, 2013

    @dcatz well written!

  • taskmaster27858 May 21, 2013

    It will be a scary site if someone saw some nude pictures of me lol

  • dcatz May 21, 2013

    "I thought a digital footprint remained even after you deleted items. I know I accidentally erased an sd card once and was able to recover not only the files I had erased, but every single file that ever occupied the card. Be careful what you think you've deleted."

    When you "delete" a file, it isn't actually deleted but rather it is simply marked as deleted so that it appears as free space. As long as something hasn't overwritten it, it is still recoverable. It would be too slow to actually erase the file at the time of deletion. If you want to truly wipe an SD card, you need a secure erase tool that actually zeros out any deleted files.

  • allarskc May 21, 2013

    I thought a digital footprint remained even after you deleted items. I know I accidentally erased an sd card once and was able to recover not only the files I had erased, but every single file that ever occupied the card. Be careful what you think you've deleted.

  • HomeBrewDude May 21, 2013

    @newssaavy - What happened in the Nancy Cooper case is that the Cary PD Officer was trying to access a BlackBerry. There are parameters whereby if a user attempts to hack in, it warns that all data will be permanently erased if they attempt again. Which is what happened. The officer destroyed evidence in this case. Basically folks, you need to know what you are doing. If you just erase that picture or text without wiping the whole device, it can still be retrieved - just like on a computer... I am with jdupree below - just don't do it. Once it is "in the wild" it is out there.

  • newssaavy72 May 21, 2013

    Scary all around...

  • Deb1003 May 21, 2013

    Yet, the police were able to wipe out Nancy Cooper's phone w/ one action. According to the police. I just don't understand how we're able to recover photos from one phone, but not able to retrieve texts from another.

  • xylem01 May 21, 2013

    Nothing dumber than owning a smart phone.

  • gobbledygook May 21, 2013

    FYI, factory reset or taking it to a carrier to reset it, doesn't wipe everything completely... yes it does if you take it at face value, but it is still stored in the phone until you do a complete wipe out using forensic computer software to reset and re-write data.