The telecommunications industry is heating up right now, following the FCC’s latest proposed regulation that would require broadband and wireless carriers to get consumers’ permission before sharing data with third parties, such as marketers.
In a recent op-ed in the Huffington Post, FCC Chairman Tom Wheeler said, “Every broadband consumer should have the right to choose how their information bits should be used and shared.”
With this proposed regulation, telecom providers are now under pressure to review their overall security postures to determine where the weaknesses lie, and to quickly find solutions for these vulnerabilities. And while most will look to revamp to ensure and reassure that their customer’s data is protected, one weakness that must not be overlooked is the data that’s left on second-hand mobile devices that these companies buy back and resell – specifically as device upgrade cycles come full circle with customers.
The second-hand mobile market is huge. In fact, Gartner estimates it will be worth approximately $14 billion by 2017. And, it makes sense—new and improved device models are launched all the time and users have a desire to get the latest shiny thing. Because of how expensive smartphones have become, most users are inclined to resell their old phones to recoup at least some of their original spend.
But at that point of resale (for the consumer) and buy back (for the mobile provider), what data removal methods are being used before the used phone makes it way into the next owner’s hands? Is there a guarantee that the original data—including files, emails, texts, call logs, photos and videos—can’t be retrieved after the phone has been resold?
I can tell you that this issue hasn’t been addressed nearly as seriously as it should have been. Recently, Blancco Technology Group conducted a data recovery study, where we purchased over 122 used hard drives and mobile devices from Amazon, eBay and Gazelle and analyzed them to determine the presence of residual data and what types of deletion methods may have been used. What we found was both frightening and unfortunate. Not only did 48 percent of the used drives have residual data on them, but we were also able to recover thousands of leftover emails, call logs, texts/SMS/IMs, photos and videos from 35 percent of the used mobile devices.
Clearly, the proper data removal methods were not used and due diligence wasn’t met by the online resellers to safeguard the original device owners’ privacy. If that isn’t a red flag and a signal of why this type of legislation is so necessary, I don’t know what else is. Without legislation like the one proposed by the FCC, there are too many scenarios that could occur where users’ personal information is not removed completely—opening the door to the possibility of data falling into the wrong hands.
It seems as though broadband providers are primarily concerned with how the regulation could hurt them in the immediate. But they’re not thinking of the harm it could do to their business in the long-term—if their customers’ data isn’t removed properly when they’re buying back and reselling used phones and tablets (as most do), that could result in a data breach, legal fines, lost customers, diminished sales and so much more. Before jumping to criticize the regulation, I would strongly advise telecommunications providers to think through all of the possible damage they could incur if they don’t take data privacy more seriously.
Pat Clawson is CEO of Blancco Technology Group, a provider of mobile device diagnostics and secure data erasure solutions.
Filed Under: Industry regulations