Protecting Data on Old Devices You Don’t Use Anymore
Description
The Bottom Line
If you are trying to protect sensitive or personal data that you no longer need, simply “deleting” that data or destroying the device will not guarantee that it has been permanently erased. For optimal data protection:
- Encrypt your devices and storage media (e.g., hard drives, thumb drives) to protect all of your data, including deleted data.
- Don’t sell or recycle an old device without following the device manufacturer's guidance for securely wiping it.
The Problem
Deleting sensitive or personal data to deny threat actors access is often an ineffective strategy.
When you “delete” a file from your device, it is often still recoverable.
When you move data to the “recycling bin” or “trash” on a device that uses Windows OS, macOS, Android, or iOS, that data is not permanently deleted. The operating system (OS) simply allows that data to eventually be overwritten (i.e., replaced) with new data.
You can’t be sure that the data you have deleted was actually overwritten. As a result, threat actors with the right know-how can recover parts of files―or sometimes even entire files―that you thought no longer existed, allowing them access to any sensitive or personal information contained within.
This also means that if you sell, recycle, or trade in an old device, your sensitive files may remain if all you did was hit the delete button and empty the recycling bin or trash can. Alternatively, if you try to “destroy” a device yourself, critical portions of the hardware may survive destruction and enable data recovery.
The Solution
For devices that you are currently using …
Encrypt your devices (e.g., computer, phone, tablet) and storage media (e.g., thumb drives, hard drives).
By encrypting your devices and storage media, you prevent threat actors from reading, manipulating, or stealing the data stored on them. Project Upskill Topic 3.0 for guidance on setting up system encryption.
For devices that you are no longer using …
Storing old devices in a secure location (e.g., a safe) is the most effective method of data protection.
However, if you plan to destroy your device, it is best to find a professional recycling or destruction service that will allow you to verify that the device’s hard drive has been destroyed.
Particularly for high-risk communities, it is not advisable to sell or recycle devices containing sensitive or personal information. However, if you plan to do so, you should encrypt your device first. (Project Upskill Topic 3.0)
If you do intend to trade in a device, follow your manufacturer’s guidance for securely wiping the device:
- Windows: Before you sell or gift your Windows 10 device or Xbox One - Microsoft Support
- macOS: What to do before you sell, give away, trade in, or recycle your Mac - Apple Support
- iOS: What to do before you sell, give away, or trade in your iPhone or iPad - Apple Support
- Android: Reset your Android device to factory settings - Android Help (google.com)
Takeaways
Do
- Encrypt your devices. (Project Upskill, Topic 3.0.)
Do Not
- Use deletion as your primary strategy for protecting sensitive or personal data that you no longer need.
- Recycle or sell your device if you consider yourself to be at heightened risk of targeting by politically or ideologically motivated threat actors.
Project Upskill is a product of the Joint Cyber Defense Collaborative.
Prerequisites
- Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
- Module 2: Protecting Your Accounts from Compromise
- Module 3: Protecting Data Stored on Your Devices
- Topic 3.0: How to Protect the Data that is Stored on Your Devices