In the United States, items in police possession are often sold at auction if they go unclaimed. This includes cellphones that the police obtained through civil asset forfeiture, that were stolen, or that were turned in to lost-and-found. Thousands of US police departments partner with a website, PropertyRoom.com, to auction their items.
Over the course of several months, we purchased 228 cellphones from PropertyRoom to ascertain whether they contained personal information. Our results show that a shocking amount of sensitive, personal information is easily accessible, even to a “low-effort” adversary with no forensics expertise: 21.5% of the phones were not locked at all, another 4.8% used top-40 most common PINs and patterns, and one phone had a sticky-note from the police with the PIN on it.
This webpage summarizes our findings from analyzing the phones we purchased from PropertyRoom. We detail our findings in a forthcoming peer-reviewed paper to appear at the IEEE Symposium on Security and Privacy.
We obtained virtually all data off of 25% of the phones, including:
Some of the phones we obtained had data from victims of identity theft. In that sense, the police auctions re-victimized these people by making their personal information available.
We are cybersecurity researchers from the University of Maryland. We would like to work with law enforcement to better understand why this loss of private information is happening and how best to mitigate it. Please feel free to contact us if you are willing to speak with us.
For more information, including full details from our analysis of the phones, our methodology, and our disclosures, please see our paper: