Security and Privacy with Second-Hand Storage Devices: A User-Centric Perspective from Switzerland

Second-hand electronic devices are increasingly being sold online. Although more affordable and more environment-friendly than new products, second-hand devices, in particular those with storage capabilities, create security and privacy threats (e.g., malware or confidential data still stored on the device, aka remnant data). Previous work studied this issue from a technical point of view or only from the perspective of the sellers of the devices, but the perspective of the buyers has been largely overlooked. In this paper, we fill this gap and take a multi-disciplinary approach, focusing on the case of Switzerland. First, we conduct a brief legal analysis of the rights and obligations related to second-hand storage devices. Second, in order to understand the buyers' practices related to these devices and their beliefs about their legal rights and obligations, we deploy a survey in collaboration with a major online platform for transactions of second-hand goods. We demonstrate that the risks highlighted in prior research might not materialize, as many buyers do not inspect the content of the bought devices (e.g., they format it directly). We also found that none of the buyers uses forensic techniques. We identified that the buyers' decisions about remnant data depend on the type of data. For instance, for data with illegal content, they would keep the data to report it to the authorities, whereas for sensitive personal data they would either delete the data or contact the sellers. We identified several discrepancies between the actual legal rights/obligations and users' beliefs.