The Washington Post recently published an article by Chris Velazco, titled How to securely erase your old hard drives once and for all (July 8, 2022).
“There are so many stories about people buying used computers online and recovering data,” said Andrés Arrieta, director of consumer privacy engineering at the Electronic Frontier Foundation. “It is kind of scary. It is all your life there.”
Mr. Velazco provides a cookbook for Windows 8.1, 10, and 11, as well as Mac systems. He also addresses nonworking computers.
The same concerns may apply to other devices, such as smart phones and tablets. Before disposing of them, the user should take appropriate steps to safeguard any stored confidential data.
For example: “With so many different devices, apps, and connections in our lives, we tend to forget our cars are connected devices as well. Think about it, your car knows every contact, location, app, and combination. It’s important that you remember this if you’re thinking about selling or trading your current vehicle. You would be surprised how many people sell their car and forget to erase all the personal information stored in its memory. By ignoring this step, you’re not only handing over the keys to your car, but the keys to your life as well.” Vince Pontorno, 5 ways to clear your personal info from your car before you sell it (komando.com) (May 28, 2019).
Others state that: “You shouldn’t lose sleep over the prospect of data theft from Apple CarPlay or Android Auto. The most that someone could potentially get is an identification code from your device, but that’s virtually useless without the device itself.” Kelsey Mays, Do Apple CarPlay, Android Auto Keep Data From Your Smartphone? | News | Cars.com (Mar. 28, 2016).
It turns out you’re more likely to leave more data through a far older technology: Bluetooth. Pair your phone and most connections ask to download the phonebook to enable easy access to stored numbers. A lot of that can stay in the car.
“For every paired Bluetooth phone, the car stores the phone ID and pairing information,” VW’s Gillies explained. “The phonebook data and calling lists are transferred to the car. When you disconnect the phone, the call information is removed from the car’s memory and updated on a following reconnect. The phonebook data persists in the car in order to be available immediately after a next reconnect.”
[Colin] Bird [a technology analyst at IHS Automotive] said the amount of information your car’s Bluetooth system collects “varies by Bluetooth module but typically there is storage for hundreds if not thousands of phone numbers.”
There’s also “a limited amount of space for speed dials and call logs — though some systems record no logs,” he added. “The transfer of this data is between the phone’s memory and the SIM card to the embedded flash memory on the communications module, and what type of data that is transferred depends on the Bluetooth profile supported by the phone.”
So-called “smart” Bluetooth can now handle additional data, “including keystroke data, wireless sensor reporting and the ability to transmit short data packets like messages, emails, calendar notifications, tasks, notes and reminders,” Bird said. Although unlikely, “these in theory could be stored by the module depending on its design.”
And all of that information could be hacked.
Someone could access the module and get your phonebook, recent messages and other basic information, like your phone’s name and Bluetooth key, said Stefan Cross, communications manager for GM’s connected-car division.
Cross said the data stored in the car excludes “any cloud-based information” like financial accounts, where the apps on your device are merely a portal to information online.
Id. While some auto manufacturers, like Honda, state that Bluetooth information is constantly erased, Cars.com wrote:
Before You Leave, Delete the Profile
Others suggest that you delete your phone from the list of paired devices to remove any potential access — an “extra precaution” consumers should take “just to be safe rather than sorry,” Cross said.
“When you delete a phone, you delete the data,” VW’s Gillies said. “The data lives in the infotainment system if it recognizes the phone ID and, obviously, if you wipe the ID, you wipe the data.”
Well, perhaps not quite.
Even if you delete your phone from the list of paired devices, Bird warned there’s a slight possibility that information remains in the car. That’s because the whole Bluetooth connection process “requires a small amount of embedded flash memory,” he explained.
Bird said if you delete your phone, it erases what’s called the “pointer” or “map” that shows where your Bluetooth file — with your address book and more — resides in the system’s database. But it doesn’t actually erase the file itself, which is “likely still on the embedded memory,” Bird said.
In essence, you’ve burned the directions to your data. But if someone could search through all the data, they might still find it.
“The file is still there though until it is rewritten with a new file,” Bird said. “This is the case with most types of memory storage. So the short answer is yes, someone could probably take your phone contacts even if you ‘erased’ it through the head unit.”
Id.; see Corinne Lillis, Connecting your cellphone to your car could put your personal information at risk (wgal.com) (Feb. 4, 2020)(“Hackers have the ability to connect their phone to your car’s Bluetooth, and your car knows more than just the last song you played.”); Stephanie Wallcraft, How much data does your car collect on you? | The Star (Nov. 27, 2021)
The best practice would seem to be to consult with the manufacturer before disposing of a device that may store confidential information. Of course, if a duty to preserve potentially responsive information is triggered, disposition or erasure of a storage device may constitute spoliation.