Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners

Catalin Cimpanu, writing for BleepingComputer: A recent study conducted by academics from the University of Hertfordshire in the UK has revealed that almost two-thirds of second-hand memory cards still contain remnants of personal data from previous owners. For their study, researchers analyzed 100 second-hand SD and micro SD memory cards purchased from eBay, conventional auctions, second-hand shops, and other sources over a four-month period. All in all, researchers say the memory cards they recovered were previously used in smartphones and tablets, but some cards were also used cameras, SatNav systems, and even drones. The research team says the analysis process consisted of creating a bit-by-bit image of the card and then using freely available software to see if they could recover any data from the card. Their efforts were successful and worrisome at the same time, as the team says it managed to recover data from the memory cards, including intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents.

Just Surprised...

[rally2xs]

...that it's ONLY 2/3rds. Who remembers / bothers to erase that data, anyway? For my cameras and GPSs, I doubt that I'd bother. Info available is immensely non-useful to anyone else. A PC memory I would erase, and spend time writing 1's, 0's, and then random #'s to it, but the other hardware I really wouldn't care about.

And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them. Everybody knows that.

Who bothers? WHO BOTHERS?

[Anonymous Coward]

That's the first damn thing on my mind whenever such a device is leaving my control.

WTF is wrong with you people? Bell curve, that's what.

Re:

[Oswald McWeany]

That's the first damn thing on my mind whenever such a device is leaving my control.

WTF is wrong with you people? Bell curve, that's what.

I wouldn't even SELL or giveaway any SD card/ HDD, etc, even if I had wiped it. Not worth potential privacy and identity loss, even if I have wiped it with special software... I just would never take that risk. Who even sells their used SD cards? What do you get $2? Not worth it.

Re:

[ctilsie242]

I have never bothered selling a used memory card. If it is leaving my possession, it gets the "dd if=/dev/urandom of=/dev/sdwhatever" treatment, at least once or twice.

Re:Just Surprised...

[KiloByte]

And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them.

That kind person who made you lose the card is selling; he can't drink, smoke nor inject that card in its present form. And you did not get an opportunity to clean the data.

Thus, we'd need some way to encrypt the cards yet still be able to comfortably share them between diverse systems, as unless the card is sitting in the dust behind your couch, the data is likely to be used. Not by the direct "finder", but as soon as anyone pays for the copy, those nudes and bank statements will be out there. Oh, by the way: if you're evil enough, here's a business opportunity. Don't take it.

Re:

[ctilsie242]

I read that the SD secure part which consists of 20% of the card is still present, but you have to have a special controller to access that part. I wish the specs were more open, as it would possibly be a useful way to back up sensitive data, or just store the key to the rest of the card there.

Limited erase/write cycles

[Comboman]

A PC memory I would erase, and spend time writing 1's, 0's, and then random #'s to it, but the other hardware I really wouldn't care about.

Also, given that flash cards have a limited number of erase/write cycles, doing a proper erase would reduce the lifespan of the card significantly (at least compared to a hard drive).

Re: Just Surprised...

[Bing Tsher E]

Not before she makes a backup copy on Carlos Danger's laptop.

Re:

[91degrees]

When I saw the headline, I assumed that was the number of people who didn't even bother to delete everything.

Re:

[Anonymous Coward]

Thats nothing! A few years ago some folks bought 100 used copy machines. In every case, the hard drives in those machines had not only records of copier usage, but the actual documents that had been copied. Wait...you didn't know that copiers had hard drives and kept copies of documents? Some of the used copiers had come from police stations, and had copies of case documents on them.

Be careful what you copy and where!!!

Re:

[ctilsie242]

What blows my mind is that it isn't hard to create an encryption system to guarantee that temporary files stored there are zapped. It can be as simple as deleting the old cruft, creating an LUKS volume or eCryptFS directory on bootup, keeping the key in RAM, and storing files there. If the copier gets power cycled, the keys are forgotten, and the documents are never accessible. Next bootup, the files are cleared out, and a new volume is made.

If the copier uses Windows, a partition that is formatted and a

Re:

[thegarbz]

Info available is immensely non-useful to anyone else.

Last time I found a memory card the contents were useful enough to directly identify the owner even though it contained nothing but camera snaps. Hell the last 2 times that was true and the second time I found the camera in the bottom of the ocean.

Don't discount what is on your memory card. It's like those people who don't realise that posting a selfi with your plane ticket barcode visible is about all that is needed for someone to come in and cancel your flight on you.

Re:

[Megol]

If you weren't a lazy bastard you'd click on the relevant link to see that this study was commissioned by a company.
But you are, so you waste a lot of bandwidth just to be a POS.

Re:

[Anonymous Coward]

Two of your questions were answered. You asked, "Who proposes such a study and then who approves it?" The previous comment explains that the study was commissioned by a company. More specifically, the company was Comparitech.com, which is in the article. And since the University of Hertfordshire conducted the study, I'd say there's a good chance they approved it. If you're looking for the name of a specific individual or group who signed off on it, I'd recommend getting in touch with the university dir

Re:

[110010001000]

Excellent analysis. This is definitely the type of research that Universities should be pursuing. They should do separate analysis of solid state drives and magnetic drives as well to see if they suffer from the same issue. Perhaps they could be paid for by hard drive makers to convince people they should destroy their old ones and only buy new ones. Or perhaps they could legislate that the second hand market should be illegal because of the data theft problems. Oh, let me guess: you thought the companies w

Re:

[Anonymous Coward]

I'm just not understanding why this makes you so angry. Maybe the company has an idea for simplifying the task of secure deletion for non-tech-savvy users, and wanted to commission a quick-and-dirty study to see how prevalent the problem of recoverable data on secondhand media is before proceeding? Maybe they just want to use it as propaganda to convince people to only buy new media, as you suggest (which I agree would be unethical). But to get so upset about it suggests that you feel it is materially ha

Re:

[110010001000]

Good point. There isn't any problem with using Universities for corporate propaganda, which like you said, would be unethical. You make excellent points. No reason to be upset actually. Thanks for the responses!

Re:

[thegarbz]

They should do separate analysis of solid state drives and magnetic drives as well to see if they suffer from the same issue.

Why? That is what I would call: settled science [scmagazineuk.com]

Incidentally that study on harddisks a few years back also got to the number two-thirds. Maybe two-thirds of people don't know basic data security regardless of what they are selling online :-)

It's probably an undergraduate project

[Anonymous Coward]

The only problem is that taxpayers are funding it.

There should be a separation of Education and State.

Re:

[Oswald McWeany]

There should be a separation of Education and State.

No... there really shouldn't be. Not even close. That's about the stupidest idea I've heard in a long time. We had that in the 1700's. If you want 2% literacy follow that route! It's a benefit to EVERYONE that all of society is educated. Even if you're some rich snob, it's to your benefit that society is educated enough that it can create entrepreneurs, doctors, etc.

Re:

[bill_mcgonigle]

We had that in the 1700's. If you want 2% literacy follow that route! It's a benefit to EVERYONE that all of society is educated.

Where did you learn that, a government school?

Try going to actually look up the literacy rate in America before the US implemented the Prussian System, when most schools for poor were run by charity, and compare it with other countries around the world that had state education, paying special attention to the counties of comparable wealth.

I know, learning is hard and you don't ha

Re:Academics

[ShanghaiBill]

Who proposes such a study and then who approves it?

According to TFA, a company, Comparitech.com, commissioned the study.

Are these the kind of studies Universities should be pursuing?

This wasn't a vast team of world-class researchers. It was likely one undergrad on academic probation working for class credit, sitting at a desk with a small pile of cards, plugging each one into the slot and pushing a button. Total cost: about $200 to buy the cards.

Re:

[110010001000]

I can find that undergrad something better to do, like updating APK's HOST FILES list.

Re:

[110010001000]

But look a who funds these "studies". Think about why they are funding them.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mysidia]

Next question: How many used infected Windows laptops do you have to sell, before your keylogger sends back some "interesting" data? J/K

Re:

[cre1mer]

Remember that academics have to establish themselves with peer reviewed papers. So they need to study something to get started. Once they get tenured at a university, they can study something serious like basket weaving from 10,000 years ago [sciencedaily.com].

Re:

[angel'o'sphere]

Nice link :D

Re:

[110010001000]

It isn't useful. People either 1) know data recovery is possible and don't care or 2) don't know and don't care. As you said, hard drive have had this same issue for decades.

Who sells them?

[fph il quozientatore]

Who the heck sells a memory card? They are as cheap as a McDonald's burger, and by the time you exit the store there are already larger ones on sale.

Re:

[Carrot007]

Stupid people that's who!

The sort of people that do not know how to properly delete files (really a once over zeroing is fine, or choose your favourite number!).

I am more worried about the sort of people that buy these second hand cards to trust their data to!

I have many old cards. I should bin them but I like to hoard! They are all far too small anyway (16gb is the minimum these days, 64gb is usual, your view may differ!) I tend to buy above the burger price but below the point where the price gets silly.

Re:

[OzPeter]

I have many old cards. I should bin them

Which raises the question of what is the environmentally way of disposing of them?

That's one reason I also have a hoard of memory cards - I have no idea of the best way to dispose of them and the amount of money I'd make on selling them isn't worth my time*

---

*Anyone want to bid on an San Disk EC-8CF 8MB CompactFlash card? It's Nikon branded!

Re:

[110010001000]

You can break them in half to be safe. But there isn't really an environmentally sound way to dispose of them.

Re:

[Oswald McWeany]

But there isn't really an environmentally sound way to dispose of them.

Throw them into an active caldera. They get instantly melted down and form part of the earth's magma. The only downside is you have to walk to the volcano- not drive because driving pollutes. Some people have a longer walk/swim than others.

Re:

[PPH]

Which raises the question of what is the environmentally way of disposing of them?

What about an SD card is hazardous?

Re:

[Aighearach]

Neckbeard tears are highly toxic, you'd never decontaminate their hoard.

I'd just take them to the local tech recycling nonprofit in an unmarked bag, and just don't even mention where they came from. They probably have neckbeards that attempt to volunteer in exchange for free computers, especially before they learn that the volunteering needed is all manual labor. So they have to already have some precautions; they'll be able to contain any outbreaks. So don't worry. Just don't tell them, they don't want to

Re:

[110010001000]

I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

Re:

[Wycliffe]

I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

Where are you getting 400 used memory cards a month?

Re:

[110010001000]

I salvage them from broken tablets, phones, etc.

Re:

[OzPeter]

I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

So you are buying them for $6 and selling them for $5 with the intention of making up for the loses with volume?

Re:

[Oswald McWeany]

Yes. I call it the Tesla strategy.

Booooo! You're bashing Musk again! Booooo!

- I was expecting to see you on the Musk offering to help the Thai cave victims article earlier. You let me down, you weren't there.

Re:

[Anonymous Coward]

Thieves. That's also why they don't bother erasing the card.

Re:

[ctilsie242]

Thefts come to mind, be it cell phones, cameras, or whatnot. A cell phone, even if it will never work for a provider, is still worth a lot, due to the screen and other parts, and a SD card, especially a larger one, is just icing on the cake.

Some Android phones do a great job at full volume encryption, so the SD card's loss means data isn't loss. Other phones don't do that, which can be a security risk.

You've discovered my secret!

[necro81]

My secret past-time is buying up old memory cards, finding the goodies, and then blackmailing the former owners, committing industrial espionage, and generally being amused. Now you all have gone and ruined it by warning everyone!

Oh, wait, people are still lazy? Don't care about security? Wouldn't know how to wipe a card even if they did care? Well, then, I guess I'm all set.

disclaimer: this post is in jest

Re:

[cshark]

Quite the racket you've got going on. But what do you do with the cards after you get the data off of them and blackmail the owners? That's a lot of media. I was thinking, you know, cost per gigabyte on memory cards is so low, it's almost negative. I bet you could do something fun with drive clustering if you had the hardware to do it.

Re:

[necro81]

But what do you do with the cards after you get the data off of them and blackmail the owners?

Load them with malware, then sell them back on eBay! Or sprinkle them at various political gatherings to see who's gullible enough to pick them up and plug them in.

Re:

[cshark]

How devious.

Re:

[cshark]

I like the political espionage angle.

Re:

[Aighearach]

most memory cards can be used directly by microntrollers with built-in SPI communication. Even just an arduino can give the access. Not to make it fast, but when you're hunting for a "fun" use case, that won't matter; you can still over-build it.

Re:

[Rik Sweeney]

They're on the card, you just need PhotoRec.

Link to original source

[Anonymous Coward]

I could not find the link to the actual report in the summary or the linked article (unless I missed it). But some googling located it.

https://cdn.comparitech.com/static/docs/survey-data-remaining-second-hand-memory-cards-uk.pdf

It is linked in the story of the company that commissioned the research in the first place: https://www.comparitech.com/blog/vpn-privacy/secondhand-memory-card-study/

99% percent of second-hand condoms

[Ukab the Great]

Contain genetic material from previous owners.

SD card sellers are cows.

[Anonymous Coward]

You are all cows. Cows say moo. MOOOOOOO! MOOOOOOO! Moo cows MOOOOOO! Moo say the cows. YOU DBAN-NEEDING COWS!!

Re:

[Aighearach]

I doubt they'd manage dban, if you want these cows to make progress that easy you'd have to somehow teach them to follow a shepherd.

No, you're going to have to team up with app guy for this one. Make it easier.

TRIM on file deletion would do the job

[evanh]

but alas SD cards don't seem to support it.

FAT chance

[LordWabbit2]

Why is this so "surprising" - most people don't understand how a FAT file system works when you delete something, fuck, most PROGRAMMERS don't understand how FAT works, so why is it surprising most people think that simply deleting files is the same as erasing the card? Some might go the extra mile and format it, but all that does is reset the FAT table.

P.S. The only reason I know so much about FAT is I tried to write a boot sector virus in assembler in school. Yeah, it didn't work as expected and I en

Re:

[DontBeAMoran]

most PROGRAMMERS don't understand how FAT works

Which is ironic, given the high percentage of fat programmers.

Re:

[Oswald McWeany]

I'm not fat, I've got big ntfs!

Re:

[DontBeAMoran]

P.S. The only reason I know so much about FAT is I tried to write a boot sector virus in assembler in school. Yeah, it didn't work as expected and I ended up erasing my own boot sector.

This reminds me of this story [iit.bme.hu].

Re:

[iggymanz]

Most filesystems in common use don't delete the file's contents, so what's your point?

Help me out

[cshark]

Why is it shocking that you can recover unsecured data from a used memory card again? Especially when you're using recovery software to do the job? This one falls into the "no duh," category.

Re:

[110010001000]

Exactly. That was my point. How is this considered "academic study"? Of course I get crucified by the dullards on here who think this is novel research.

people don't understand or don't care

[roc97007]

This is nothing new. Several years ago, a local electronics junk store got in a bunch of Blackberries of various models (probably a company going out of business) and were selling them for something like $5 apiece. Daughter was a major texter at the time, and liked the retro look and superior keyboard, so we bought several different models so she could switch between them as her mood took her.

We discovered that all but one of them had not been wiped. Appointments, phone numbers, baby pictures, still inta

Re:

[roc97007]

Toss memory cards in fire. Don't breathe the fumes.

A sledgehammer for the HD. It's not enough to mangle the logic board, stepper and heads, you have to destroy the discs.

On selling devices, you're right, but I don't think regular people know enough, and there's few around willing to tell them.

Time for storage to be encrypted by default?

[davidwr]

It would cost a bit more but maybe it's time for camera-cards, USB sticks, and the like to routinely use strong encryption with a non-secret-by-default key stored on a the medium itself.

To the end user, it would "just work" except there would be a "quick erase" mode that would scramble the key then either do a normal operating-system-level "long" or "quick" format using the new key.

Even a "quick format" by the OS would be good enough since the left-over data would be encrypted with a now-deleted key.

Now, th