Used Cellphones Hold Trove of Secrets That Can Be Hard to Erase

Trust Digital recently bought from the eBay online auction site 10 used smart phones, each with at least 40 megabytes of memory, for an experiment in data recovery. Using simple software created in-house, the firm's technicians retrieved an astonishing variety of information -- one company's plans to win a multimillion-dollar federal transportation contract, e-mails about another firm's $50,000 payment for a software license, bank accounts and passwords, medical prescriptions, and receipts for utility payments.

Then there was the text-message exchange between a man and his paramour, who Trust Digital determined was not his wife from the thousands of pages of personal data on his phone.

Buy This Photo Sam Bachman says he never realized how vulnerable his personal information was. (By Gerald Martineau -- The Washington Post) Save & Share Article What's This? Digg Google del.icio.us Yahoo! Reddit Facebook

"So," the woman typed, "I'll talk to u next week."

"You want a break from me?" the man messaged back. "Then fine."

Paraben, of Pleasant Grove, Utah, buys about 300 used cellphones each year from eBay and other sites for training sessions. Though the sellers think they have wiped the devices clean, 80 to 85 percent of the devices still have data intact, Schroader said.

"We've recovered everything from complete address books . . . to pictures taken in intimate moments. It's like, well, I didn't need to see that," Schroader said.

The fact that cellphones can give up secrets makes them as valuable to law enforcement as to criminals.

Lee Reiber, a Boise, Idaho, police detective specializing in cellphone forensics, has used recovered phone data to crack homicide, child abuse, domestic abuse cases. This year alone he has examined more than 100 phones in criminal and civil investigations and recovered data from 90 percent of them, he said. A man suspected of being a pedophile was undone by his phone. "We had all his pictures," Reiber said.

Besides the Treo, made by Palm Inc., there are other smart-phone makers, including Nokia Corp. and Siemens AG.

BlackBerry devices are in theory among the most secure of smart phones, Schroader said. However, those used by consumers lack the same security features as those used by government and private companies, Laudermilch said. "Even though there may be some security features on the device, most people don't know how or when to use them," he said.

As more people sell their old phones and upgrade to fancier models, Palm has developed a method that not only erases, but also overwrites the data with 1's and 0's, sometimes called the "zero-out" method. Instructions can be found on the Palm.com Web site by searching "zero-out reset" or "factory reset."

Trust Digital recommends that cellphone owners seek advice from device manufacturers, carriers that sold them their phones or their companies' information technology administrators. The Web site Wirelessrecycling.com provides directions for erasing data from many models.

Alerted to the security vulnerability, Bachman pulled his Treo 650 off the market and performed an advanced factory reset by following instructions on the Palm Web site. He said he plans to put the Treo 650 up for sale again. Meanwhile, he is already eyeing the Treo 750, not yet available in the United States.