Secure Disposal of Electronic Devices
Written by Lani Byrd   

This article appears in the July-August 2021 issue of Evidence Technology Magazine.
You can view that full issue here.

IT IS NO SECRET that smartphones, tablets, laptops, smartwatches, and other portable electronic devices contain a treasure trove of sensitive data. If these items were to end up in the wrong hands it could violate the original owner’s privacy, putting them or their loved ones in danger. It can also bring potential liability upon the law enforcement agency that oversees these items. It is incumbent upon the property and evidence department to dispose of these items in a secure manner that protects the owner’s privacy as well as the reputation of the agency. Ensuring that these electronic devices are purged in a secure manner is an area that can sometimes be overlooked.

Let’s look at two possible scenarios:

Scenario 1: A teenage girl loses her phone. It is found by a local citizen who does the right thing by turning it in to their local law enforcement agency for safekeeping. Since the phone was never claimed by the owner, the phone is then turned over to be sold at auction. The winner of the auction—who has a nefarious reputation—can now access the private information of this teenager, thus having the potential to cause harm to this person and/or her family and friends.

Scenario 2: A charity receives donated electronic devices from their local law enforcement agency. The charity sells these devices to an electronics recycler, who in turn sells them without ensuring the data is deleted. To his delight, the buyer of the device finds innocent family photos of the children taking a bath together. Not only does this person now have access to these photos, he also likely has the contact information of the family that the device once belonged to. Law enforcement effectively just gave these photos to a man who intends to share them with his network.

In both scenarios, the law enforcement agency could face liability along with negative publicity since they did not dispose of the devices in a safe and guaranteed-secure manner.

This article is intended to help law enforcement agencies to understand the importance of utilizing a data-erasure disposal policy that securely deals with the unclaimed electronics in their possession. It will guide you through the process of evaluating your current electronics disposal method. We will delve into the basic technical requirements your process should meet, and how you can ensure your disposal method protects the owners’ information and your agency’s reputation.

Defining “Secure”: What Does Secure Disposal Entail?

There are two basic components to a secure electronics disposal program:

1. First, all data must be permanently erased from working devices.

2. Second, any device that cannot be erased must be recycled in a manner that protects the data from being recovered at a future time.

Permanent Erasure — Erasing devices is not simply a matter of performing a factory reset. The factory reset process does not necessarily erase the data. For a two-minute video demonstration of just how easy it is to recover data, visit www.data-secure.org/android-factory-reset.

Another way some choose to purge the devices in their possession is to smash them. This is not effective, nor is it secure. Secure data-erasure recycling facilities have helped law enforcement recover data from destroyed devices on multiple occasions. The device itself may be destroyed, but the data contained in it is still very much alive.

To ensure that data on devices is not recoverable, each device must be erased in compliance with minimum industry standards. Using a disposal company that utilizes a third-party, licensed erasure software can ensure that devices are erased to current industry standards. Additionally, third-party verification ensures the integrity of your erasure process.

Below is a list of the minimum standard by device type.

  • iOS – Cryptographic Erase
  • Android – Character Overwrite NIST SP 800
  • Flash Memory – Character Overwrite DoD 5220
  • Hard Drives – Character Overwrite DoD 5220

Environmental Standards — Not all devices can be adequately erased. Some will not power on, are damaged, or are obsolete. These devices must be recycled by a certified R2 recycler. An R2 recycler strictly follows both environmental and security standards for the electronic-recycling industry.

What Should I Look for When Disposing of Devices?

Selling items through an online auction site may sound attractive. However, consider two items of utmost importance:

1) Protecting the sensitive information contained on the device, and

2) Protecting your agency.

If you elect to sell devices through an auction site, make sure the company you choose guarantees the complete erasure of data. Read all terms and conditions carefully. It is common for auctions to use terms like “Certified Data Erasure” or “Secure Data Destruction”, but they employ processes that do not ensure complete data erasure. Some even say so in their user agreement, with terminology such as: “we assume no liability” or “we do not guarantee we will erase all data on devices”.

The 911 Cell Phone Bank (911CPB) is a non-profit 501(c)(3) organization that provides a 100% free service to law enforcement agencies to securely recycle electronic devices. They purchased ten smartphones from a popular online auction site that sells items on behalf of law enforcement and public agency clients to see if there was, indeed, data left behind. Many of the smartphones listed on this auction site are sold in “as-is” condition. Devices are listed as “untested due to the fact it does not power on, does not take charge, sold as-is, for parts, may be account or carrier locked”. Remember, untested essentially means uncleared. James Mosieur, Director of the 911CPB, notes what was found on these ten devices:

  • Two devices were simple-feature phones with no user locks. All data on the devices were available.
  • Two iPhones were iCloud locked. Data was encrypted and they were unable to recover any data.
  • One Android smartphone was unable to be repaired and they were unable to recover any data.
  • Three Android smartphones were repaired. These devices had no user lock, so photos, videos, text messages, and contacts were easily recovered.
  • Two Android smartphones were repaired. They had user locks; however, after a factory reset, photos (including pornography), videos, text messages, and contacts were easily recovered.


A data-erasure station at 911 Cell Phone Bank.

Regardless of who is processing devices on your behalf, be certain to get satisfactory answers to the questions below.

1. Who is processing the devices?

First, determine who is doing the actual processing of the devices. Most charities simply pass the devices on to a third party to process and sell. If your agreement is not with the third party itself, then, should a data breach occur, you could be held liable for any damages sustained by the original owner of the device.

Ask the following of the third-party processor:

• What erasure standard does the processor use? Most organizations (non-profit and for-profit alike) simply use the built-in factory reset or “hard reset” as some refer to it, to clear devices. As the video referred to above proves, factory resets don’t always delete personal data. Make certain the processor you choose adheres to the minimum standards listed above. Otherwise, you leave your agency open for liability.

If your processor relies only on factory resetting devices, find a new processor! Regardless of the good that may be accomplished, they are leaving your agency unnecessarily exposed to potential liability.

• Can your processor prove the devices are being erased properly? Many organizations will simply assure you that the devices are being erased properly. That’s why third-party verification is important. Without it, you must take the word of the processor. With it, however, a qualified third-party software provider will confirm the device has been erased. Most processors do not use third-party software because of the cost: licensing can cost tens of thousands of dollars per year or more.


A metal security gate is just one feature of a secure facility.

Does the processor operate a secure facility? Most facilities have basic security like an alarm system, deadbolts on the doors, etc. However, since portable electronic devices are just that — portable — there must be increased security inside the processor’s facility. Increased security includes:

Background Checks — A background check helps to identify applicants that have a criminal past. While someone with a criminal past may qualify to work in other capacities, they should never have access to devices that contain private and personal data.

Secure Processing Area — The processing area must be secured with locking doors and accessible only by staff that have a legitimate reason to enter. Doors from the secure processing area must not open to the outside of the building.

Security Cameras — Good surveillance, whether live-monitored or recorded, discourages theft and pilfering. Since the processor will have memory cards and thumb drives that can easily be slipped into a pocket before erasure, cameras in the entire facility are a necessary deterrent.

Alarm Backup and Monitoring — The facility’s security alarm must be monitored. In addition, it should have a battery-powered wireless backup that allows it to continue to operate if the phone lines or power is disabled.

Do the processor’s internal policies ensure security? Extra care must be taken when hiring and managing employees, and when handling shipments. Policies that ensure that the law enforcement agency’s data will be protected while under the control of the processor are imperative. Below is a list of minimum policy requirements that should be in place.

– Personal items that can be used to steal or pilfer, such as jackets with pockets, lunch boxes, purses, backpacks, etc., should not be allowed in the processing area.

– As shipments are received, they must be immediately secured in the processing area. Shipments should never be opened outside of the secure processing area. If devices are removed by the processor or their representative, they must be properly secured before removal (for example: Are boxes taped? Are they being transported in a vehicle that can be locked?).

– Only necessary staff who have had a background check should have access to the secure processing area. It should be clear who is authorized to enter the secure processing area, as well as the consequences for unauthorized entry. Visitors should not be allowed in the secure processing area.

– Devices that have not been erased should not be taken outside of the secure processing area.

• Does the processor have a professional liability insurance policy? Mistakes do happen. Your processor should have a liability policy that covers them if they are negligent in the service they provide and, as a result, private information is exposed. They should have no problem adding your agency as an additional insured on the policy.

Does the processor use a certified R2 electronics recycler for recycling broken or obsolete devices? Proper disposal of broken or obsolete devices goes beyond the environmental aspect. Using a certified R2 recycler ensures that devices that cannot be erased are destroyed.

As you can see, there are many variables to consider when ensuring that devices leaving the care of your agency are disposed of in the most orderly and secure manner.

What Now?

Handling electronic devices from your agency is more important than ever before. The way your agency chooses to dispose of purged electronic devices matters. Showing concern for private data after the device leaves your property room can protect your agency and build trust from within your community.

Since 2004, the 911 Cell Phone Bank has been working with law enforcement agencies to provide guaranteed secure disposal of electronic devices. The service is 100% free including shipping costs. Every erasure is tested, certified, and approved. To date, over 150,000 phones have been repurposed and used as emergency devices to help vulnerable persons contact 911 in an emergency.

To arrange for a donation of devices, or to obtain emergency phones for your Victim’s Agency Unit, please contact: 911cellphonebank.org | 866-290-7864 | This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Take the necessary steps now to protect your agency’s reputation far into the future.


About the Author

Lani Byrd works with the 911 Cell Phone Bank assisting law enforcement agencies throughout the country with the safe disposal of electronic devices in their Property & Evidence departments. She previously worked as the National Membership Director for the Emergency Care and Safety Institute (ECSI), providing safety certification training programs such as First Aid and CPR/AED, to law enforcement and EMS agencies. She has also worked for the Citrus County Sheriff’s Office in Inverness, Florida where she held two different civilian positions, 1. Receptionist and 2. Information Technology Support.

 
< Prev   Next >






Lifting Latent Fingerprints from Difficult Surfaces

ALMOST ANYONE can find, process, and lift a latent print that happens to be in a logical and obvious place like a door handle, a beer can, or a butcher knife. But sometimes, a latent print is not just sitting there in a logical and obvious place. Sometimes, you have to use your imagination to find the print and your skills to lift it.

Read more...