'Naked selfies': Why deleting may not make them disappear

A technology security firm says it has been able to retrieve thousands of photos, including some very revealing "naked selfies," from used smartphones that were supposedly wiped of all their data.

In an experiment designed to show how smartphone owners don't take the proper precautions to protect their personal data and information, security firm Avast bought 20 used Android phones on eBay.

"Used smartphones are a popular sales item on eBay – more than 80,000 people list their phones for sale each day," Avast's Jude McColgan wrote in a blog post describing the experiment. "It seems like a smart way to make some extra money, but Avast has found out that many fail to protect their identity in the process.

"Most sellers delete all of their personal data prior to selling their used devices… or so they think."

Using "simple and easily available" digital forensics software, the company said it was able to retrieve a mountain of personal data from the used phones, including the following:

• more than 40,000 stored photos
• more than 1,500 family photos of children
• more than 750 photos of women in "various stages of undress"
• more than 250 selfies of "what appear to be the previous owner's manhood"
• more than 1,000 Google searches
• more than 750 emails and text messages
• more than 250 contact names and email addresses
• four previous owners' identities
• one completed loan application

It was not clear which specific types of phones Avast had purchased.

Deleting files not enough

The company later provided an in-depth breakdown of how it retrieved the data.

In this second blog post, the company noted that when people want to delete a file from their device, most will use the standard features – like the "factory reset" option -- that come with their phone’s operating system. The typical assumption is that doing so deletes the no-longer wanted data forever.

But this does not delete the file on certain older smartphone models, the company says. Instead, doing a "data wipe" only erases the indexing of the data, and not the data itself.

"When a file is deleted, the operating system merely deletes the corresponding pointers in the file table and marks the space as occupied by the file as free. The reality is that the file is not deleted and the data it contained still remains on the drive," Avast writes.

Independent technology analyst Carmi Levi told CTV News Channel that the process was similar to deleting a "table of contents" from a book.

"The pages of the book are still there, and if you know where to look and you know how to use the right data recovery software (all the data) is there," Levi said.

Avast warns that smartphone owners should be careful how they handle their personal data before they think about selling their phone. Photos, emails, text messages and search engine information can help identity thieves form a more complete profile of you, according to the company.

"They can use this information to watch people's every move, exploit their strange fetishes, open credit cards in their name, or even continue what they started by further selling their personal information online," the company said.

Avast said that deleting files from your Android phone before putting it up for sale is not enough. It recommends overwriting your files using its software to make the files irretrievable.

In response to media reports about the experiment, a Google spokesperson told technology website Ars Technica that Avast's experiment appears to be based on older devices that do not have the security protections in Android versions that are used by 85 per cent of users.

"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years," the Google representative said.

But Levi said smartphone users should really question whether it's worth the risk of having your personal data potentially out there for the little bit of extra money you might be able to get from selling your old phone.

"I don't sell my devices; I just give them to my family members and let them use them. If my kid finds something, that's OK because he'll come right to me," he said.