Date created: | Last Updated:

Category: Project

Description: Second-hand electronic devices are increasingly being sold online. Although more affordable and more environment-friendly than new products, second-hand devices, in particular those with storage capabilities, create security and privacy threats (e.g., malware or confidential data still stored on the device, aka remnant data). Previous work studied this issue from a technical point of view or only from the perspective of the sellers of the devices, but the perspective of the buyers has been largely overlooked. In this paper, we fill this gap and take a multi-disciplinary approach by analyzing the situation in Switzerland. First, we conduct a brief legal analysis of the rights and obligations related to second-hand storage devices. Second, in order to understand the buyers’ practices related to these devices and their beliefs about their legal rights and obligations, we deploy a survey in collaboration with a major online platform for transactions of second-hand goods. Our findings show that the risks demonstrated in previous works do not seem to materialize: many buyers immediately format the devices without looking at the data. And none seems to use forensic techniques. We identified that the buyers’ decisions about remnant data depend on the type of data. For instance, for data with illegal content, they would keep the data to report it to the authorities, whereas, for sensitive personal data, they would either delete the data or contact the sellers. We identified several discrepancies between the actual legal rights/obligations and users’ beliefs.