Reimagining managerial practices

Security and Privacy with Second-Hand Electronic Devices

The second-hand market constitutes a key pillar of the circular economy (CE), a sustainable model that encourages the reuse of products. As such, it is of high interest for E4S in its mission of spearheading the transition towards a more sustainable economy. And it happens to be increasingly attractive to consumers who care about their environmental impact—beyond the original incentive to purchase goods for comparatively less money.

Second-hand electronic devices, such as smartphones and IoT, are commonly sold on dedicated online platforms such as eBay and Ricardo (in Switzerland). While being more affordable and environment-friendly than brand-new products, transactions of second-hand products can create new security and privacy threats. For instance, the previous owner of a smart-home device they sold recently might still have remote access to it. The problem can be even more severe if the second-hand product has storage capabilities, including but not limited to smartphones, tablets, laptops, hard drives, memory cards, or USB sticks. Such devices could include some so-called remnant personal data (i.e., data that can still be found on the device) or malware. While the former can cause privacy risks for the device sellers, the latter can cause security risks for the device buyers.

Indeed, previous investigations showed that the threat of remnant data on second-hand or recycled electronics is real and serious. For instance, they demonstrated that more than half of the second-hand storage devices include remnant data—in clear or recoverable through specific tools (i.e., widely available forensic tools). These studies reported recovering business documents, medical case reports, financial information (e.g., credit card pin numbers or private keys associated with crypto assets), personally identifiable information (e.g., vehicle registration numbers, phone numbers), and even highly sensitive data such as photos of an intimate nature and pornographic content.

Our understanding of users’ perceptions and behaviors regarding second-hand electronic devices is limited. In particular, understanding how buyers react when they find remnant data is crucial to assessing the extent to which the proven privacy risks associated with remnant data would materialize. Moreover, addressing the privacy and security challenges associated with second-hand storage devices requires both technical and non-technical solutions that support both sellers and buyers throughout the entire transaction process (before and after the exchange of devices). Seeking users’ needs and preferences and engaging them in the design process becomes a necessity to ensure that the proposed solutions are user-friendly, contextually relevant, and aligned with users’ diverse requirements. This is precisely what we will address in this project. More specifically, we will produce reports on our findings regarding users’ behaviors as well as recommendations and tools designed based on our findings and evidence.