US police auction seized cell phones without wiping data stored in them, found researchers at the University of Maryland. Police in the US have been auctioning off mobile phones seized during arrests, with all their data intact.
This is a common practice of selling off items in the custody of the police that remained unclaimed over a period of time, found University of Maryland researchers Dave Levin (Assistant Professor), Raley Roberts (Ph.D. student), Julio Poveda (Ph.D. student), and Richard Roberts (Ph.D. student)
Sellers of seized and used phones from police auctions on various avenues, including PropertyRoom, eBay, and others, took no responsibility for the storage status of the devices they sold.
US police auction seized cell phones without wiping data: Implications
US police selling phones on online markets is a common practice. The members of the Electronic Frontier Foundation and their lawyers discussed the rightful owner of the used phones from police auctions and made the following statements:
- After a specific time, the ownership of seized, stolen, or lost and found items is passed on to the state or local government.
- Items sold during police auctions leave the ownership of the items to the purchaser despite the item being stolen. However, the research read, “..Normally, purchasing stolen property does not transfer ownership rights-even if the buyer did not know it was stolen.” This technically nullifies the credibility of the trade and puts the buyer at risk of knowingly or unknowingly misusing the found data on the used phones from police auctions.
- Moreover, “(The) ownership of the data ends within the confines of the phone. The Computer Fraud and Abuse Act (CFAA) still prohibits the new purchaser from accessing a remote service that they are not authorized to—and merely possessing cookies
or passwords does not confer authorization,” the study read. - Finally, the law says that material pertaining to Child Sexual Abuse Material (CSAM) must be immediately reported to law enforcement.
This puts a question mark on why the police would not make sure to wipe the phones off of such material in the first place before putting them up for auction.
Added to that, individuals in possession of used phones from police auctions are expected to log out of bank apps if they find themselves accessing it on the found or bought device.
In order to reduce the workload on the legal authorities or the police, staff can be hired to look after seized phones in order to curtail threat to data and the buyers.
PropertyRoom and police auction of seized cell phones
Upon finding that a colleague purchased a used phone from PropertyRoom.com that had data from the previous user still on the device, the researchers from the University of Maryland took to investigating the case.
“We started purchasing phones from PropertyRoom, and at the same time started engaging with our university’s ethics board, division of IT, and even legal counsel to discuss how to run this study ethically and legally,” researcher Dave Levin told The Cyber Express.
“Ultimately, we came up with some guidelines to protect the owners of the data as well as the researchers themselves, and we performed our study.”
They purchased a total of 228 phones from PropertyRoom, a seller that partners with over 4,300 police departments in the US. To their surprise, they found that out of the 228 devices, 49 phones had no locks and 61 were accessible with user data still on them.
The researchers contacted PropertyRoom and discussed the findings with them. After giving them three months to investigate the issue, the researchers found that the company stopped selling cell phones for nearly a month.
When they got back to business, the phones were found to be reset to their factory settings. However, the researchers noticed another issue.
“We disclosed our results to PropertyRoom back in October — more than 6 months before going public with our results — so as to give them time to address the problem. When they started selling them again, we purchased all of the phones for about a week and analyzed those, as well,” Levin said.
“We found that PropertyRoom had started wiping their phones, but they were not wiping the SD cards. We also disclosed our results to many police groups, as described in our paper.”
Police auction seized cell phones without wiping data: Buyers at risk
The law is clear about maintaining the privacy of data found on any device regardless of who owns the device failing which, they bring legal implications onto them.
It won’t take long for cybersecurity agents or legal authorities to trace the IP address of buyers of used phones from police auctions if suspicious activities are found.
One of the noteworthy phones acquired through the auction had a peculiar addition: a sticky note affixed to it containing the device’s PIN and the phrase “Gry Keyed.”
This reference is believed to be connected to the widely used Graykey software employed by law enforcement agencies to forcefully obtain a mobile device’s PIN.
Further, the researchers found the credit files of eight people on a device, putting the financial details of individuals who previously accessed the phones at risk. Another phone had screenshots of 11 stolen credit cards. Yet another device had a Telegram group chat history with tutorials on how to run identity theft scams.
Such instances of buying and selling phones with data in the internal or external SD storage is akin to a data breach or a hack that exposes sensitive data.
The market for stolen, confiscated, lost phones
The global market for refurbished and used mobile phones is expected to grow at a compound annual growth rate of 11.45% from 2022 to 2030. This means it can move from $52.34 billion in 2021 to $64.10 billion in 2022.
Several estimates list the US as the fastest growing market for refurbished and used mobile phones. A refurbished phone goes through a process of quality check however, used phones can be dead at the time of selling.
Some of the key players who champion the market of refurbished and used phones are Apple Inc., Amazon, Samsung, Version Communications, and Cashify.
Besides these, Walmart, eBay, Paytm, Huawei, Yaantra, and AT&T Inc. are close contenders. Seeing the brands of phones while making a purchase is not enough to escape falling into legal complications.
The onus lies with the end-users to make sure that they erase all the data from the used phones before starting to use them.
They can also verify with the local police if they feel something amiss with their new purchase if the sellers have not done their part.
“The lack of raw materials like semiconductors in the U.S. during the pandemic, owing to the closure of international borders, to contain the spread of the COVID-19 virus had negatively impacted the supply chains and hampered the export and imports of essential raw materials and smartphones across the globe.
“This created a new opportunity for the vendors operating in the U.S. refurbished and used mobile phones market,” a Custom Market Insights report read.
Although the increased demand of used phones gave a boost to the US market, and others across the globe, the revenue generated from new products fell impacting the market negatively.
