Reporter Wu Xiaoli
"There are a lot of old mobile phones and iPads at home that dare not throw them or give them away. Deleted data can also be recovered, formatting is not safe, it seems that it is right not to dispose of it casually. Ms. Li of Beijing's Haidian District told the China Consumer Daily reporter.
At this year's CCTV "3·15" party, relevant technicians tested "how to completely clear mobile phone data", and concluded that the data that was quickly formatted can be easily recovered, and found that many mobile phones that have been restored to factory settings, the files still exist, the data has not been really deleted, and can be recovered through certain technical means. This has once again raised consumer concerns about information security.
Nowadays, computers, mobile phones, iPads, U disks and other electronic products iterate rapidly, and many people have a bunch of old equipment at home. Although the second-hand market is hot, many users are afraid that the data will not be deleted cleanly and lead to personal privacy leakage, and prefer to put these inventory at home.
The hidden danger of data leakage such as photos and files in eliminated electronic products is a pain point that has always plagued users. How to operate to completely delete the data in the phone? What kind of notification or reminder obligations should electronic product manufacturers fulfill? The reporter of "China Consumer News" conducted an in-depth interview on this to answer these questions for you one by one.
Q1: Why can deleted data be recovered?
"Commonly used one-click deletion, quick formatting, and device default unchecked 'format SD card and phone storage' and other operations cannot completely delete data." 360 mobile phone security expert Ge Jian told reporters.
Peng Gen, general manager of Beijing Hanhua Feitian Xinan Technology Co., Ltd., told reporters: "Taking mobile phone album photos as an example, each photo will contain some superficially invisible backups, thumbnails and other information. When deleting photos in albums and bins, the backups and thumbnails are not deleted synchronously, and their clarity is completely normal for viewing, which provides opportunities for data recovery. ”
Peng Gen said that the file types often used in the USB flash drive, such as photos, Word, Excel, PDF, etc., can be quickly recovered by dedicated software technicians after deleting and emptying the Recycle Bin. This is because in order to quickly respond to the deletion action and minimize the physical operation of the hard disk and extend the life of the hard disk, the operating system only deletes it in the "file directory", and the real file body is not cleared. Using these files, deleted files are recovered.
Peng Gen added that for example, the quick format of the U disk, in fact, did not really empty the data of the entire U disk, but reformatted the "directory" of all files, and the body of the file remained in other places on the USB drive.
Q2: How is "deletion" defined in the legal sense?
"There is very little real privacy in mobile phones and computers, and most of it is public and semi-public content." Fu Liang, an independent telecommunications analyst, told China Consumer Daily that the security of many information is time-sensitive. For example, WeChat, Alipay passwords, if you do not use it for a few days, or have logged in on another device, when you log in again on the original device, you usually need a higher level of security confirmation, such as face recognition, mobile phone verification code, etc. After a mobile phone number is cancelled, it usually takes 6 months for telecom operators to enter the market again, which is also to terminate the continuation of information to the greatest extent and reduce the harm caused by privacy leakage.
In the eyes of professionals, for the data in mobile phones, iPads, and U disks, the legal definition of "deletion" is not the disappearance of data, but sufficient to protect personal privacy information.
"There is no concept of deletion of data in the Personal Information Protection Law." Ge Mengying, legal director and data compliance officer of TalkingData, told reporters, "The 'deletion' in the national standard GB/T35273-2020 "Information Security Technology Personal Information Security Specification" refers to the act of removing personal information from the systems involved in the realization of daily business functions, so that it remains unretrievable and inaccessible. Therefore, it is possible to judge whether the data has been 'deleted' according to the criteria of not being retrievable and inaccessible, that is, it is not necessarily a true physical deletion. The definition of anonymization in the PIPL refers to 'the process by which personal information cannot identify a specific natural person after processing and cannot be recovered'. For example, the anonymization of personal information so that the data is in a state where it cannot be retrieved, accessed, or restored, that is, the data is not identifiable, and even if it is combined with any other data, it cannot be seen what kind of data it is, which can be defined as a 'deleted' state. ”
Q3: How to ensure that all data is deleted?
"One is completely formatted." Ge Jian said, "Complete formatting is to delete and overwrite all the storage contents of mobile phones or computer devices. ”
Ge Mengying suggested that consumers completely format the data in the terminal multiple times, and conduct repeated tests after deletion to detect whether it is really deleted; For data stored on hard disks and file servers, ensure the deletion of original data, and also pay attention to log files with data recovery functions to avoid that the original data can be recovered.
Ge Jian reminded that when restoring factory settings, you need to distinguish the device model, and you need to check the Delete all applications, settings, data and files option separately to ensure that all traces on the phone are completely deleted.
Using a professional data cleaning tool is another effective way to completely erase your data. These tools can ensure that deleted data cannot be recovered by writing, overwriting, and erasing data multiple times. "In order to ensure the complete deletion of private data, you can use professional, secure, and functional tool applications with the function of deleting private data. In this way, while deleting text messages, managing picture albums and cleaning chat junk, ensuring the smooth use of the system, it can also ensure data security and thorough cleaning. Ge Jian said.
"Another way is to completely destroy the storage media." Peng Gen said that such as hard disks, USB flash drives, SD cards, etc., the best way to deal with them is to use physical destruction to completely destroy them. If it is completely destroyed by using magnets, cutters and other tools, it is best to use a data cleaning tool to completely erase the data before destroying it to ensure that it cannot be recovered.
Q4: How to dispose of old equipment safely?
"Because the mobile phone will be lost, the computer may suddenly break and someone needs to repair it, so you should avoid storing private information in the mobile phone or computer for a long time." Fu Liang said that for example, ID photos should be deleted immediately after being used up in mobile phones and chat records, and private information can also be put in a special privacy area of mobile phones or computers, and third-party software can be installed on mobile phones or computers to achieve information protection, or even physical isolation.
Peng Gen said that in the process of using electronic products, attention should be paid to protecting personal privacy and information security, and avoiding the disclosure of sensitive personal information, such as passwords and bank card numbers. Pay attention to the use of strong passwords, and change them frequently, and do not use electronic devices in public for sensitive operations, such as online banking, Alipay and other operations. At the same time, do not download applications from unknown sources, do not connect to public wireless networks, etc. "For some important personal data, you can also use encryption to protect it." "Encryption can transform data into a form that cannot be understood, so that even if the data is stolen, attackers can't read the contents," Pengen said. ”
Ge Jian said that in addition to the old mobile phone to be cleared before processing, the application account in the mobile phone should be unbound in time and updated to the new mobile phone login binding; Delete the data in the mobile phone account in time to avoid leakage caused by synchronization; Find a regular recycling manufacturer for equipment recycling.
Q5: What are the obligations of manufacturers?
Equipment manufacturers and application service providers should also bear the corresponding security responsibilities. Fu Liang believes that device manufacturers should remind users in a prominent position in the "mobile phone factory reset" option to choose whether to delete stored content; At a minimum, the Quick Format option should be set in the operating system. If you transfer your phone or computer to a third person (especially if you sell it to the second-hand market), "fully formatted" is not enough. "It's recommended to sit idle for a few months, or use your phone or computer for a few months for apps that don't require much privacy." He added.
Ge Mengying suggested that application service providers provide consumers with more significant formatting options, clearly list the form of formatting, preferably in the form of strong reminders such as pop-up windows, and ask users to check whether to format quickly or completely.