Before you toss out, give away or sell that old USB memory stick, make sure you've properly erased your files. A new study finds that two-thirds of used USB thumb drives still had the previous owner's data on them, even though attempts had often been made to delete the files.
The leftover files included "nude photos, business documents, ID scans, job applications, wage slips, private memos, tax statements, receipts and medical documents," according to Comparitech, which commissioned the University of Hertfordshire in England to conduct the study.
"If a person can be identified in sufficient detail (name, address, email, phone number), then this information has potential value to a criminal for identity theft," said Andrew Jones of the Cyber Security Center at the University of Hertfordshire.
Why a Quick Delete Won't Work
Sadly, most of the previous owners had tried to erase the thumb drives by dragging the files into the trash or by doing a quick-format procedure. But neither method actually deletes files.
Doing a full-disk format of a PC hard drive works well, and today's PC SSDs have built-in wipe tools. But USBs are a different breed, apparently, as even full-disk formatting leaves traces of the previous material.
What You Need to Do
You've got to at least do a full-format procedure, which might still leave enough traces for a professional disk-recovery program to find, or use a dedicated file-wiping program, which should get rid of everything.
If you just want to protect personal stuff that wouldn't be too embarrassing if it got out, then try the full-formatting options built into Windows, macOS or Linux to format the drive. It might not hurt to do it a few times.
But if you have confidential or compromising material on the drive, then use a dedicated file-erase program or drive formatter. CCleaner (opens in new tab), KillDisk, DiskGenius and Partition Wizard (opens in new tab) all have free Windows options. Comparitech recommends AweEraser, Super Eraser and WipeDrive as paid solutions for both Windows and macOS with lifetime licenses ranging from $30 to $50.
A Criminal's Dream
The researchers bought 100 used thumb drives on eBay, secondhand shops and traditional auctions in the United Kingdom, then did the same in the United States. The drives ranged in size from 32MB all the way up to 128GB.
Specifically, the data included "nude images of a middle-aged man along with name and contact details"; "chemical, fire, and power safety documents"; "documents containing the stock exchange dealings of a trader along with their passport and addresses": and "laboratory reports for a petrochemical company."
One thumb drive's contents had the elements of a gripping short story, including "photos of bundles of money and shotguns," "a search warrant," "a forfeiture submission for the seizure of drugs," "a forensic laboratory report on evidence submitted," and, mysteriously, "a letter of resignation from a law-enforcement officer."
U.S. vs UK Users
Sixty-eight of the U.K. drives had recoverable data, and 67 of the U.S. ones did. Only 18 of the American previous owners had properly deleted their files using the proper tools, and only 16 British previous owners had. Twenty of the U.S. previous owners could be identified, compared to 22 British ones.
The similarities ended there. Out of 100 U.S. drives, only one showed no effort whatsoever by the previous owner to delete the data. The British previous owner were more cavalier -- fully 19 had never bothered to even try deleting the data.
Of those previous owners who had tried and failed to wipe the drives, 64 Americans clearly had thought that dragging files into the trash or deleting them would work. (Both methods only place a flag before each file saying that it can be overwritten if necessary.) Eight Americans had tried the quick-format method, which Comparitech noted is often erroneously cited online as a proper way to erase files.
Fewer British previous owners, 47 out of 100, thought that trashing or deleting files would work. But twice as many Brits as Yanks, 16 instead of eight, had tried the just-as-dodgy quick-format method.