Understanding the differences between data deletion and data erasure is essential for effectively securing personal information. Many people may be unaware of these dissimilarities and their significance.
This blog will discuss these differences, offer best practices for wholesaler data security operations, and discuss the proper elimination of pre-existing data previously housed on refurbished smartphones.
Understanding Data Deletion And Erasure
Before getting a clear understanding of how data is either deleted or erased, it is important to know what, where, and how data is stored on a smartphone. The central component involved is known as a solid-state-drive (SSD), or flash memory.
On smartphones, this electronic component is typically characterized by a penny-sized chip mounted on the phone’s motherboard, usually co-located next to the unit’s Central Processing Unit (CPU). Within the SSD, digital non-volatile “cells” form a grid, producing an overall digital storage matrix.
The total number of cells of the grid defines the memory capacity on a device. Depending on the configuration of the unit, grids can typically range from 256k bits to 4mb. When a user executes a command on the phone, the system stores necessary data bits within the grid.
There is a considerable difference between deleting data and erasing data. Cohesive groups of data bits on storage devices are known as records, which are monitored and managed by a subordinate index, referred to as a File Allocation Table (FAT).
Within the FAT, a series of position-pointers tell the grid where each data bit is located. When a user commands the FAT to delete a record, the system changes the operating state of each position-pointer from an active to an inactive state. Deletion means that the user will no longer be able to access that record; however, the data on the grid will still exist inside the device. The data bits will be unreferenced and marked as available for overwriting by new information.
This is why various commercial storage recovery utilities can recover data, even though it has been deleted. When data is recovered, the application finds untouched data that the smartphone operating system has marked as free to write over.
In a data erasure, the selected data will be overwritten with masking information on the SSD. The masking or overwriting data can be as simple as a repeated pattern of 1s and 0s or a more sophisticated random sequence. The goal is to eliminate all traces of personal data to the degree that it can never be recovered or retrieved.
There are three basic methods of data erasure:
- Overwriting – Not the best for SSDs
- Block Erase – Effective for SSDs
- Cryptographic Erase – Acceptable, but works only on self-encrypting drives
Each approach delivers different levels of security when full data removal is executed.
Best Practices for Data Deletion
As a wholesaler, the quickest and easiest approach to data deletion is to encrypt the phone (iOS devices will be encrypted by default). Then, perform a factory reset on every smartphone.
Factory resetting a smartphone de-references existing data on the drive and makes the drive fully available for new data. Old data can still be recovered at this stage unless you proceed to the next recommended step, data erasure.
Best Practices for Data Erasure
To make old data irrecoverable, wholesalers need to employ a secure data erasure tool specifically made to handle smartphone SSDs. As an example of the so category, Blancco makes software products to erase Android and iOS devices. BitRaser is another option. Select the data erasure tool of your choice and follow the instructions to completely wipe the device.
Compliance Considerations and Legal Requirements
Various standards regulate the handling of data worldwide, such as CCPA, SOX, GLBA, HIPAA, ISO27001, ISO 27040, EU-GDPR, and PCI-DSS. In the United States, mobile resellers are sometimes asked to meet the NIST 800-88 standards for media sanitization. If you’re selling into the European market, the EU-GDPR is the data privacy and security control standard. Research and comply with the data standards for your relevant geographies.
Conclusion
Data deletion is a necessary but insufficient step toward securely removing sensitive user data from pre-owned smartphones. After you’ve deleted data, you must proceed to the next step of data erasure using dedicated software. Properly handled data erasure eliminates the risk of the next owners of your smartphones using data restoration techniques to access sensitive data. As smartphone wholesalers or distributors, it’s critical to establish a data sanitization process that safeguards user data and permanently erases it, enabling you to confidently and ethically resell devices without data security risks.
