E-Waste Privacy Threat on the Rise as Recycling Soars

E-waste recycling is on the rise through municipal collection events and the many “computer, TV, and cellphone manufacturers, as well as electronics retailers [that] offer some kind of take-back program or sponsor recycling events,” the Environmental Protection Agency said. But some are concerned that recycled devices containing personally identifiable information increases the risk that PII will fall into the hands of malicious actors, advocates said in interviews last week.

Recyclers and retailers of consumer electronics responded that the threat to PII comes when devices aren't recycled properly or aren't recycled by a certified e-waste recycler. All said customers need to follow best practices to avoid having their data stolen.

People aren't paying attention to hardware when disposing of e-waste, and many identities are being stolen, said Electronic Recyclers International (ERI) CEO John Shegerian. Only 15 percent of U.S. e-waste is recycled responsibly, according to a recent U.N. report, Shegerian said. The rest is either put in a landfill or shipped to another country like China, where hard drives, because of the “secrets” they hold, have become more valuable than the precious metals used to create the devices, he said.

“People are right to be concerned,” because it’s relatively easy to recover data from the drive of a device, said Electronics TakeBack Coalition National Coordinator Barbara Kyle. Federal agents are approaching companies like ERI asking for help, because some recent data breaches weren't done by China, North Korea or Russia, but occurred because companies didn’t pay for responsible recycling, Shegerian said. Their devices were bought by foreign entities, he said: “The shit is about to hit the fan.” No CEO wants to publicly say he or she had a breach because a device wasn't properly disposed of, Shegerian said. It’s easier to say a company was hacked by Russia, he said.

“Pay attention” to whom you give your devices, Kyle said. A lot of bad actors represent themselves as recyclers and then send the devices to developing nations, Kyle said. The economics of recycling cellphones and tablets are bad because it costs more money to take apart a phone than a recycler can make recycling the device, she said.

PII is vulnerable when recycled cellphones don't have data wiped, Kyle said, saying consumers, who may buy mobile phones about every 18 months as new devices become available, must be “proactive” to ensure data wiping occurs.

Often products like copiers aren't scrubbed, leaving PII vulnerable, said John Juntunen, owner of Digital Copier Security. Though industries have specific privacy laws that apply when getting rid of devices, such as the Health Insurance Portability and Accountability Act for those in the medical industry, the “government won’t fine anyone” for breaching privacy laws when recycling or throwing out old tech equipment, Juntunen said.

Since 2002, most copiers have contained hard drives that store records that can be uncovered if not properly cleared, Juntunen said. Once, Juntunen found a used copier for sale at a warehouse that had been used at an AIDS clinic. Every person who had tested positive for AIDS had his or her information scanned on the copier and that information was still on the hard drive for anyone to potentially access, he said. Other information Juntunen has found includes tax forms, credit card statements, copies of credit cards, driver’s licenses, Social Security cards, company checks, employee records, email addresses for everyone at a company and private fax numbers for pharmacies.

No recycler has been tied to identity theft, industry officials said. But some said that's because it's nearly impossible to demonstrate that linkage, not because it doesn't happen.

In the 15 years CEA Vice President-Environmental Affairs Walter Alcorn has worked on e-waste, he hasn't heard of a situation in which identity theft was traced back to an electronics recycler, he said. Juntunen agrees with Alcorn that it’s nearly impossible to prove an individual’s identity was stolen from a recycled device. Alcorn said consumers should ask a recycling company how the device will be recycled and what kind of assurance they can be given that their information will be destroyed. All responsible recyclers are recycling in a way that ensures information on the device is destroyed, Alcorn said.

Before donating or recycling a mobile device, the EPA recommends that users terminate their service, clear the phone’s memory manually, do a factory hard reset, use data erasing tools available on the Web, and remove the SIM card and either shred it or cut it in half. “Don’t just delete files,” Kyle said. “That doesn’t do it.” Consumers often toss an old device into a drawer instead of recycling it, Kyle said. Since it’s more difficult for a recycler to make money on older devices, Kyle recommended consumers recycle their electronics with a certified responsible recycler as soon as possible.

An April 19 U.N. University Institute for the Advanced Study of Sustainability Sustainable Cycles report on global e-waste in 2014 said the U.S. and China produce the most e-waste, at 32 percent combined. Report co-author Kees Baldé said he hasn’t heard of people not recycling electronics due to privacy concerns, but said some “demolish their hard drives due to potential privacy concerns, and that companies use certified recyclers that guarantee privacy.”

Electronics buyback programs need to do more, some said. Many buyback recycling programs don't scrub data off devices, Shegerian said. Best Buy, the Salvation Army and Staples have good programs, he said, but consumers and companies have to be careful. “People have to do more homework than ever before,” because recycling e-waste is no longer just about the environment, but about an individual's or company’s data, he said.

Computers are the third most commonly recycled product at Best Buy, with ink cartridges No. 1, batteries No. 2, TVs No. 4 and printers No. 5, a spokesman said. “We encourage our customers to be sure to wipe personal data from any products with memory storage that they may be recycling,” he said. “Most of our customers know how to wipe their hard drives,” he said. “When they’re unsure about how to do it, or worried that they haven’t removed their data completely, they can check with one of our Geek Squad Agents, who are available online and at every Best Buy store,” he emailed. “We also require our recycling partners to wipe data before disposing of any products they are handling on our behalf.”

Staples takes customer information protection seriously and follows industry standard practices for handling devices which might contain customer information, a spokesman said. “We strive to ensure data security in the recycling process -- while our recycling partner erases or destroys hard drives and memory-containing devices, we also encourage our customers to erase all personal data from their devices before recycling them or come in to any of our convenient store locations and have an EasyTech technician complete that service for them.”