Re-victimization of identity theft victims

Phones may end up in police custody because their owners were arrested for committing a crime, such as identity theft. In some cases, the phone itself was used as a tool to commit that crime. We initially expected that police would never auction these phones, as they would enable the buyer to re-commit the same crimes as the previous owner. Unfortunately, that expectation has proven false in practice. This work shows the extent to which police sold phones with victims’ social security numbers, credit cards, and credit histories. Even worse, in one case, the police cracked a phone’s PIN and wrote it on a sticky-note that was attached to the phone; this phone was used in identity theft and contained extensive amounts of victim data.

Weakened threat model

Tools like Cellebrite² and GrayKey³ are used by law enforcement agencies and researchers alike for forensic analysis and to gain access to restricted devices. However, licenses cost thousands of US dollars and are out of reach for most users.

In this work, we assume a far weaker adversarial model requiring no sophisticated forensics whatsoever. We were able to access 21.49% of the phones merely by turning them on; they arrived completely unlocked. We were able to unlock another 4.82% of the phones in just a few hours by manually guessing the 100 most popular PINs and patterns. Looking back at the past two years of PropertyRoom auctions, we found 6 instances where police sold phones with sticky-notes containing the phones’ PINs or patterns. Our results show that virtually anyone can gain access to a substantial amount of sensitive information from cellphones sold via police auction, without any special training, device, or software.

A longitudinal view of the auction ecosystem

In addition to our deep-dive analysis into the 228 phones we purchased, we also perform a longitudinal analysis of the cellphone police auction ecosystem. We crawled the PropertyRoom website to obtain approximately two years’ worth of auction data. Our analysis shows that, over these two years, police departments across the US have collectively auctioned off over 33,594 phones at an average price of $16.55 per phone. Moreover, by manually analyzing thousands of photos included in PropertyRoom’s auction listings, we find many instances of sensitive information readily available on the website for free, without having to win an auction. PINs, patterns, names and phone numbers of prior owners, evidence tags describing how the phones were obtained, and the names of law enforcement agents who collected or processed the phones, are all visible on stickers or sticky-notes attached to phones. Our measurements show that the leaking of sensitive information via police auction is widespread, longstanding, and sometimes lacks safeguards as basic as removing a sticker.

Contributions

We make the following contributions:

• We perform the first study of phones sold at police auction by purchasing and analyzing 228 phones from PropertyRoom.

• We show that an adversary with no forensics experience can gain access to 26.8% of phones by merely turning them on or trying the most common PINs or patterns.

• We thoroughly analyze the content of these phones, finding many instances of private and sensitive data, evidence of criminal activity, and data that would enable purchasers to re-victimize previous victims of identity theft.

• We perform what is, to the best of our knowledge, the first longitudinal analysis of police phone auctions, characterizing the economy and showing how longstanding practices divulge sensitive details about the phones’ original owners and the police who processed them.

• We have disclosed our findings to PropertyRoom and other stakeholders and, at least at the time of this writing, PropertyRoom ensures that the phones they sell no longer contain personal information.

• We discuss potential mitigation measures that various stakeholders could take.⁴

Roadmap

The rest of this paper is structured as follows. Section II presents background and related work on police auctions, PropertyRoom, and prior forensics efforts. Section III describes our methods, including our phone collection and analysis protocols, and the legal and ethical concerns we addressed. Section IV provides an overview of the phones we obtained, and Section V gives an overview of the content stored on them. In Section VI, we dig deeper into the phones’ contents and report on the criminal activity we were able to infer. Section VII presents our longitudinal analysis of two years’ worth of phone auctions on PropertyRoom. In Section VIII, we discuss potential countermeasures, and we conclude in Section IX.

A. Police Auctions

In the United States, police come into possession of various items throughout the course of their work.⁵ After a criminal investigation concludes or when lost or stolen property is discovered, police are typically required to inform the rightful owner directly or via public posting (e.g., in a newspaper) that their item is available to be claimed. If the original owner does not claim it after some amount of time, the finder may claim the item if it was lost-and-found; otherwise, items become the property of the state or local government. For instance, New York state law [10] gives owners six months to claim property valued between $100–$499.99 and three years to claim property worth more than $5,000; finders then get three months to claim it. Once that window expires, the property may—and in some instances must [9], [40]—be put up for sale at public auction. The proceeds from these auctions tend to go to the respective local government or the police department that obtained them. These so-called police auctions are a common occurrence in the US; thousands of departments now partner with third party auction houses in order to reduce their logistical overhead. Chief among them is PropertyRoom.

B. PropertyRoom

PropertyRoom.com partners with over 4,300 police departments in the US to reduce the logistical burden of managing their own secure auction website. According to their website and a news article from 2009 [41], PropertyRoom operates as follows: PropertyRoom periodically visits partnered police departments and takes items for sale back to one of five processing centers [31]. PropertyRoom organizes the items into batches to auction, takes photos of them, and lists the auctions under one of the categories on their website, such as Jewelry, Boats & Planes, or the central focus of our paper: "Bulk Lots of Cell Phones"⁶. Each category is processed differently; for instance, most valuable jewelry is appraised. At the time we purchased phones from them, PropertyRoom asserted that each bulk lot of cellphones contained untested items sold as-is for parts. On learning this, we wondered: is anyone verifying that these phones are wiped before they are sold?

The PropertyRoom website handles user accounts and on-line bidding using an ascending first-price auction with bid increments (thereby approximating a second-price auction). PropertyRoom also handles shipping and customer service with the bidders. Finally, PropertyRoom shares the proceeds of the auctions with the police departments whose items were auctioned off; in 2007, Bovid and Sparks reported that PropertyRoom kept 50% of the revenues [4].

C. Legal Considerations of Police Phone Auctions

Before embarking on our study, we wondered: who is the rightful owner of the data on the phones? Are winners of the auctions legally allowed to look at the data? Do the original owners have a right to retain ownership? To answer these questions, we spoke with members of the Electronic Frontier Foundation who in turn discussed it with some of their lawyers. We summarize their analysis here.

Various state and local laws outline the attempts that must be made to return seized, stolen, or lost-and-found items to their original owners (or those who found them) and the time limits that owners have to do so. When this time expires, the items usually become the property of the state or local government, at which point the original owner is no longer entitled to redeem the property. Thus, when the police auction off an item, they transfer their ownership to the purchaser. Note that, normally, purchasing stolen property does not transfer ownership rights—even if the buyer did not know it was stolen. However, in the case of police auctions, ownership is transferred regardless of how the phone was obtained. Put another way: ownership is effectively laundered through the police.

As a result, the winners of the auction own the phones and all of the data on the phones. As an analogy, suppose one were to purchase a painting and later discover that inside the painting was a collection of handwritten letters from the original owner. Ethically, one might argue that the letters belonged to the original owner of the painting, but legally they belong to the purchaser.

However, ownership of the data ends within the confines of the phone. The Computer Fraud and Abuse Act (CFAA) still prohibits the new purchaser from accessing a remote service that they are not authorized to—and merely possessing cookies or passwords does not confer authorization. Continuing the analogy: if the letters contained detailed instructions on how to access a person’s safe deposit box, then those instructions would belong to the purchaser but they would not be allowed to use them to actually access the box. In the case of a secondhand digital phone, if the new owner were to open a banking app that automatically logged into the previous owner’s account, they would be legally obligated to log out.

Finally, there is one form of data that is always illegal to possess, no matter how one obtains it: Child Sexual Abuse Material (CSAM). We consulted with our institution’s legal counsel, who informed us that we were legally obligated to immediately report any such material to law enforcement, if found.

What this analysis meant for our study was that, legally, we were allowed to possess and analyze the materials on the phones, so long as we followed strict methods ensuring that we did not violate the CFAA and that we identified and reported any CSAM we found (though we did not find any). We detail these methods in §III-A.

D. Related Work

Prior work showed that it is possible to obtain data from secondhand electronic devices by using sophisticated forensics toolkits. In their seminal work from 2003, Garfinkel and Shelat purchased 158 secondhand hard disk drives and developed various forensics techniques to extract and analyze 75GB from them [12]. Since then, forensics toolkits have become more advanced, with third-party companies developing zero-days to gain access to phones [45]. In 2016, Glisson et al. compared three such forensics toolkits to retrieve more than 11,000 data artifacts from 49 secondhand mobile devices sold on eBay and a pawn shop [15]. Similar forensics toolkits have been used to get data from USB storage devices [23], [1], memory cards [44], [47], hard disk drives [22], handheld devices [24], and smartphones [13]. In comparison with these prior efforts, our work shows that even an adversary with no sophisticated forensics tools can still gain access to a significant amount of data from phones sold via police auction.

Many studies acquired secondhand devices from diverse sources like eBay [15], [23], [5], computer stores [12], pawn shops [42], a Forbes 500 company [13], and various resellers [25], [46], [21]. Our work extends these efforts into the previously unstudied but critically important space of police auctions. Unlike these other sources of secondhand devices, phones from police auctions are more likely to have been involved in a crime, and are thus more likely to contain sensitive information that could be used for blackmail or re-victimization. Police auctions also introduce a third party not present in other studies’ sources: the police and forensics teams who, as we will show, attach sticky-notes and stickers to phones that divulge PINs, patterns, and information about the phones’ original owners.

We are aware of only one other cursory study of PropertyRoom, performed by Mosieur in 2016 [20], in which they purchased 10 phones and reported on how many were accessible and contained text messages, photos, and pornography. We perform a more thorough evaluation, detailing precisely the sensitive nature of the data on the phones, as well as a two-year longitudinal analysis of PropertyRoom auctions. As a result, we believe our work shows more fully the risks that police auctions pose to society.

A. Legal and Ethical Guidelines

Our study was approved by our Institutional Review Board (IRB) as a secondary data analysis study, as the data on the devices we obtained existed without our intervention. The IRB was primarily concerned with potential harm that could come to researchers, and how sensitive/identifying data would be handled and stored. Seeking IRB approval is a necessary, but not always sufficient, step to conducting ethical research. Our IRB team felt that they alone were not capable of addressing all potential concerns related to this project, and helpfully referred us to both our institution’s legal counsel and our division of IT for further guidance.

Based on discussions with our institution’s legal counsel, division of IT, and the lawyers’ analysis discussed in Section II, we instituted the following rules:

B. Obtaining and Processing Phones

We limited bidding to the "Cell Phones: Bulk Lots" category of phones on PropertyRoom. For these auctions, PropertyRoom bundled together multiple phones in the same auction lot. We actively bid on auctions during two periods of time: auctions that closed between November 11–13 2021, and auctions that closed between February 6–11 2022. We won almost all of the bulk lots of cellphones during these times.⁸ Based on our analysis of the PropertyRoom auctions (§VII), we believe that concurrent lots often come from the same police department. Thus, by winning all of the auctions in a short period of time, it increases the chances of obtaining phones that may have been part of the same criminal investigation (indeed, this was the case; see §VI). However, only buying phones in a single batch risks biasing the results towards a small number of police departments; to reduce this bias, we purchased phones in two groups, separated by months. Collectively, we won 40 auctions, with winning bids totalling $4,245 USD (this excludes shipping costs and additional fees). From these auctions we received 228 phones (including two Android tablets), along with miscellaneous accessories. Apple iPhones make up 29.4% of our dataset (67 phones).

After receiving the phones but before turning them on, we took pictures of the fronts and backs of the phones, then cleaned them with a disinfecting wipe. We prevented the phones from connecting to a network by removing the SIM cards and, after turning the phones on, immediately enabling airplane mode and disabling location tracking.

C. Gaining Access to Phones

Some phones arrived locked by PINs, pattern locks, text passwords, knock codes, or a combination thereof. Sophisticated forensics tools can extract content from locked phones. Low-power attackers have a different tool at their disposal: guessing common credentials. For each locked phone, we manually iterated through a list of frequently used credentials [3], [29], [43], [28] (again locally, not via network connection) until we were locked out, the phone wiped itself, timeouts became infeasibly long to guess, or we exhausted 100 guesses of the credential type. We successfully guessed the credentials for 11 phones; see §IV for more detail.

D. Extracting and Analyzing Phones’ Data

We conducted both automated data analysis of the phones’ digital backups, and manual data analysis on the phones themselves.

E. Disclosure

We disclosed our findings to PropertyRoom with a three-month embargo to allow them time to address the concerns raised in this paper. PropertyRoom acknowledged our disclosure and said they would review their policies and procedures, but did not engage further. Shortly thereafter, they paused selling new bulk lots of cellphones for approximately a month. When new auctions of bulk lots resumed, we successfully won all of them for one week and analyzed the phones, finding that they had been restored to factory settings. However, four phones had SD cards that had not been erased and contained photos and partial backups of the phones. We disclosed these additional findings to PropertyRoom, who did not reply. As of the time of this writing, descriptions for new bulk lot auctions of cellphones on PropertyRoom include: "Devices presented for auction have gone through our internal process to ensure personal information has been removed."

TABLE I Overview of the phone functionality and data accessibility for phones in our dataset

We also disclosed our findings to multiple organizations with ties to law enforcement in the US: National Sheriffs’ Association, International Association of Chiefs of Police, Police Executive Research Forum, Major Cities Chiefs Association, DHS’s Office for State and Local Law Enforcement, and National Computer Forensics Institute.

We have chosen not to try to reach out to the previous owners of the phones—nor to try to return the phones to them—for two key reasons: First, we cannot determine with certainty whether the person we believe used the phone most recently had rightfully owned it, or if they stole it from someone else; returning the phone to a thief risks re-victimizing its true owner. Second, some of the phones showed clear signs of violent criminal activity (see §VI); in the interest of the researchers’ safety, we did not try to communicate with the previous owners at all. Instead, we destroyed each phone (and deleted copies of its non-aggregate data) after we completed analyzing it.

Arrived nonfunctional

Of the 228 phones we purchased, 60 (26.3%) of them were not functional due to hardware issues. This includes phones that could not turn on due to hardware fault (21), phones that could power on but had broken screens (12), phones that neither included a battery nor was there a battery of the same size in our whole dataset (5), and phones that would not operate without a SIM card (1). Also, 21 phones arrived wiped or locked and unusable without some intervention that was beyond the bounds of our methodology (connecting to WiFi, logging into an account, etc.).

Functional, but inaccessible data

Of the 168 phones that arrived in a functional state, we were unable to get full access to 107 of them using our limited means. 45 phones locked themselves down after too many incorrect guesses, requiring the phone to connect to a network to become functional again. 12 phones wiped themselves after we exceeded their guess threshold. 40 phones allowed us to continue guessing, but we stopped due to long timeouts between guesses. For 9 phones, we exhausted our list of popular credentials without finding a match. 1 phone had additional security settings that did not allow us to access anything on the device, despite it not having a screen lock.

Accessible with user data

The remaining 61 phones (26.8% of all phones we purchased) were functional and we were able to access the previous owners’ data. 49 phones (29.2% of the 168 phones that arrived in a functional state) arrived with no lock screen protection whatsoever; merely turning these phones on gave us unfettered access to their data. This percentage largely agrees with a 2016 study that found that 35.4% of Android users in the US do not use lock screens [18].

Using a list of the most popular PINs and patterns (§III), we successfully guessed the login credentials of another 11 devices (10 phones and 1 Android tablet). Of these, we unlocked 2 on our first guess, 5 within 10 guesses, 9 in fewer than 20 guesses, and 2 in fewer than 40 guesses.

Finally, one phone was protected by an unpopular PIN, but stuck to the back of the phone was a sticky-note on which the PIN was written, along with a message indicating that the PIN had been obtained by GrayKey (see Phone 1 in §VI). Recall that the GrayKey forensics tool is commonly used by law enforcement. As such, we conclude that law enforcement gained—and unintentionally granted us—access to this device.

Collectively, these results show that an attacker can unlock a substantial number of phones without sophisticated forensics, or even many manual guesses.

Partial information

We were unable to fully analyze 167 phones: 107 due to their security setups, and 60 due to hardware issues. While we could not investigate these phones fully, 29 had some identifying information accessible by us for partial analysis. 9 of these phones had external SD cards (2 unlocked phones also had removable memory cards). 18 phones were locked, but had identifying information present on their lock screen in the form of notifications or emergency information. 1 phone allowed us to copy files from shared file system locations, despite the phone having a broken screen. Finally, 1 phone had the name of its former owner, their attorney, and the trial district on a sticker pasted on the back of the phone. Our analysis in the following sections includes these phones, as well.

A. Communications

Communication is a two-way street. The phones we bought contain more than the private communications of one person; they have information from everyone else the device communicated with. Our digital backups included text message and call histories for 58 unlocked Android and Apple devices.

Additional communications

The data presented here only scratches the surface of communications accessible in our dataset. One phone had 460 calls in its backup, but elsewhere on the phone saved a 39-page phone bill with a record of an additional 1,441 phone calls. Others had locally stored voicemail messages. Many phones had third-party messaging apps with even more visible content, including WhatsApp, Facebook Messenger, TextFree, TextNow, and Telegram. Our backup tools did not allow us to extract these messages, but we were able to manually view them on the phones.

Fig. 1

Ranges of time for when each phone was in active use. The red lines represent our two bidding periods.

Show All

B. When Were These Phones Used?

After leaving possession of their previous owners, the phones had to pass through the police, PropertyRoom, and shipping, before arriving in our physical possession. Communication timestamps establish a window of time when each phone was actively in use, and allow us to estimate how much time elapsed between the previous owner losing possession of the phone and us gaining it. To this end, we use text and call histories when available, as they are unlikely to contain events synced from other devices; we use other time indicators from the phone when necessary.

Figure 1 shows the active time ranges established for the phones we collected. The two solid vertical lines on the right represent our bidding periods in Nov. 2021 and Feb. 2022. Phones are sorted vertically by the most recent timestamp in their activity range, allowing us to see the distribution of time-of-use to time-of-sale. The phones in our dataset were used between 2011 and 2021, with the largest clusters in early 2018 and mid 2020. This shows that phones released from police departments contain information ranging from months to a decade before being sold: wide-ranging data that a malicious purchaser could mine.

C. Phone Contacts

Next, we measure the number of contacts on each phone to better capture the number of people whose data is being sold by the police. We start by looking at the distribution of the 5,484 contacts explicitly listed in "Contacts" applications on the phones. Two phones had over 600 contacts; seven phones had 200–300; six phones had 100–200, ten had 50– 100, fourteen had between 10–50, and seven phones had fewer than 10 contacts.

We find that "Contacts" applications under-represent the number of other phones each of the phones we purchased have communicated with; many phones call and text numbers that are not tied to a named contact. We calculate a more representative contact list by taking the union of all phone numbers from call histories, text messages, and "Contacts" apps¹¹. Figure 2 visualizes our expanded contact lists. Each phone has a stacked histogram representing the number of unique phone numbers only called, only texted, both called and texted, and numbers present in the "Contacts" app that were neither called nor texted. The black dot on each bar represents the total size of the "Contacts" app list for that phone. A greater difference between a black dot and the top of its histogram implies more under-representation were one to ignore unlisted phone numbers. Overall, we found 7,151 unique phone numbers in our expanded contacts lists. For 21 phones, the expanded list more than doubled the number of known phone contacts, and eight of those phones had expanded contacts but zero phone numbers in their "Contacts" app.

Fig. 2

Stacked histogram for the expanded contact set of each phone. The difference between the black dot (all phone numbers in the "Contacts" app) and the height of each bar is the number of phones contacted that would be missed by only looking at the "Contacts" application.

Show All

In summary, the phones we purchased at police auction leak communication data for an order of magnitude more individuals than the number of phones purchased.

D. Images

Here, we demonstrate the scope and severity of sensitive photos sold on police-auctioned phones. We manually analyzed all images stored in gallery applications and MMS attachments, and classified sensitive ones into the categories shown in Table II. The table shows how many phones had images of each type. Many phones had photos depicting drugs and drug use, conversations of screenshots, and photos of young children or family members. We identified 19 phones with residual images, that the previous owners attempted to delete but were still visible in settings or trash folders. Finally, we identified 18 phones with nude images.

Glisson et al. [14] similarly found instances of sensitive photos on phones they purchased from eBay and pawn shops. Our findings show that phones purchased from police auctions are especially sensitive, as they are evidently more likely to contain pictures pertaining to criminal activity. We return to this in §VI.

E. Browsing History

Browsing history can reveal a wide array of information on activities that the user may wish to keep private. Browsing histories also contain page titles, paths, and parameters that can reveal even more specific information about page interactions.

TABLE II Image categorites of interest, and how many phones had at least one image including that content.

TABLE III Number of phones in our dataset with web histories that show the browsing of sensitive websites, according to Cloudflare’s domain categories [6]. The three "Questionable Activities" websites comprised (1) black market financial statistics, (2) pornography, and (3) a cult-like organization.

We extracted 2,511 unique domains browsed from 51 devices. We used Cloudflare’s website categorization [6] to classify each domain name, and counted the number of phones that browsed at least one site in those categories. Table III shows the results for the seven categories we identified as being particularly sensitive. We observed Ecommerce activity for 35 of the 51 phones. The phones in our dataset track pornographic consumption habits for 31 individuals, and 18 phones browsed other websites that Cloudflare considers to have "Adult Themes," which include websites advertising escort services. Finally, we saw phones browsing file sharing websites (8), websites about drugs (3), sites that Cloudflare considers as having "Questionable Activities" (3), and one phone browsing a website associated with deceptive advertising.

F. Locations

While our sample was purchased during two short windows of time and may not be representative of all phones sold through PropertyRoom, we can still gain insight into which states are participating in this ecosystem. Table IV summarizes where the phones in our sample came from, using three tiers of confidence.

We identified 40 phones with high-confidence location information, such as: home or work locations saved in maps applications, addresses in the browser’s auto-fill settings, documents or IDs with the primary user’s home address on them, or evidence stickers on their exterior saying what state the police department resided. An additional 33 had other, more loose indicators of location, including: maps and internet search histories, weather applications, text messages and emails, location-specific phone applications (e.g., local transit apps), and public records for the suspected primary user. We also incorporated geographic metadata present in 2,621 images across 30 phones in this category. In total, 73 phones provided some degree location information about themselves.

TABLE IV States where the phones in our dataset were primarily used and collected. We classify the phones into two tiers based on the specificity of available location data. We then project the location of known phones onto phones with no known location sold together via the same auction.

The majority of phones had no visible indicators of where they came from. However, to the best of our knowledge, phones bundled together in the same auction are sold from the same police department. We can use the 73 phones with known locations to infer the locations of unknown phones that were sold alongside them. This accounted for 35 of our 40 auctions, and 88.1% of all of the phones we bought.

G. Sensitive Data

We close this section by analyzing the most severe examples of sensitive data found on the phones, bringing together data from communications, photos, documents, settings, and applications. We identified 31 phones in our sample that had some kind of severe information leakage, defined as the leakage of social security numbers, credit/debit cards, bank account numbers, government-issued identification, passwords, and other authentication information. We break down each of those categories below, and summarize our results in Table V.

Identification

We identified 12 phones with photographs of government-issued IDs. Five unique passports were present across 4 phones: 2 from Germany, 2 from El Salvador, and 1 from Romania. Six phones had a total of 14 unique US Driver’s Licenses. Two phones included permits allowing their owners to carry a firearm. Five phones had 8 other government-issued identification cards: 5 US state-issued ID cards (equivalent ID to a driver license without enabling its owner to drive), 2 German ID cards matching two of the passports, and 1 USA employment authorization card.

TABLE V Types of sensitive data, the number of unique instances of that data, and the number of unique phones that contained at least one instance of that data.

Identity theft and credit card fraud

Phone 1 arrived to us with a note taped to its back. The note had a numerical identifier, the phrase "Gry keyed" followed by a date, and a 4 digit number. GrayKey is a forensics tool used by law enforcement that is capable of cracking a phone’s PIN. The 4 digit number unlocked the device, which would have otherwise remained locked as the number was not in our list of 100 frequently used PINs.

This phone contained photos of two credit cards, nine bank account and routing numbers, a photo of a computer screen (with a username and password) detailing a medical encounter, three drivers licenses, and one state-issued ID card with a photo and address. A text message thread on the phone was more concerning: the owner sent pictures of 3 money transfer receipts to another individual. In return, the other person sent the owner screenshots, PDFs, and HTML files of 24 Experian and TransUnion credit histories. These documents listed names, employment histories, addresses, phone numbers, family members, bank accounts¹², loans, and credit cards. We believe these were 24 victims of identity theft at the hands of the owner of this phone. Finally, 23 of the documents listed full, unmasked SSNs.

TABLE VI An overview of notable criminal or suspicious activity found on the phones in our dataset, on court documents present on the phones, or in publicly available records. More details on each phone can be found in Section VI.

Phone 2 also had SSNs, names, addresses, and phone numbers for 8 victims stored in the phone’s note-taking application. Signs indicate the owners of phones 1 and 2 were working together: one victim was shared between both phones, they had mutual contacts, and phone 1 called a number used as a Facebook login ID on phone 2. Phone 1 also had a text message arranging travel to meet with the owner of phone 2.

Phone 3 had a photo of a website marketplace for stolen credit card numbers. The page showed a username and a purchase of 90 credit cards, 11 of which were visible on the page and included full 16 digit card numbers, names and addresses, and security codes. Ten of the credit cards had not yet expired when we received the phones from PropertyRoom (though we did not attempt to verify whether they had been frozen). Emails on the phone show a wide array of credit cards being used to purchase expensive goods and travel.

Phone 4 was a member of a group chat on Telegram that sold tutorials for committing: USPS insurance fraud, physical credit card cloning, abusing financial mobile apps, COVID-19 small business loan assurance fraud, and tax return fraud, among others. Screenshots of payouts with sensitive information redacted were used to advertise the tutorials. One victim’s SSN, credit card info, name, phone address, Apple username/password, IP address, and browser user agent string were provided unredacted by the group manager, as a show of goodwill to entice group members to pay for more.

Originally, we had hypothesized that police departments were wiping (or at least not selling) phones they knew to contain victims’ data. Surprisingly, not only do they sell such phones, but in some cases they make it easier to access the data on them. The PIN for phone 1 was written on a note that stayed on the phone when it left police custody, when PropertyRoom took pictures of it for the website (see §VII), and even when it arrived to us after winning the auction. In effect, the police broke into the phone for us, giving us easy and legal access to credit histories of 24 people who had already been victims of identity theft.

Police procedure

Public records show that phone 5’s previous owner was arrested for "Commercial Sex Abuse with a Minor" on the same day and in the same location as the activity on the phone, and was later found guilty. The phone has a text message thread where the owner knowingly solicited sex from someone claiming to be a minor, arrived at a predetermined location, and ended with a text from the other party saying only "Test." Due to the timing of the messages and arrest, we believe this may be evidence of a sting operation where law enforcement agents posed as a minor. If so, this phone contains the procedures those agents used to persuade and catch a criminal, details that could diminish the effectiveness of those techniques in the future if they were made public.

Sex workers

Phones 6, 7, and 8 belonged to three sex workers operating for a brief time in the same city. All three phones shared contacts, communicated with each other, and shared photos between them. The phones contained nude photos, as well as three passports and two state ID cards for their prior owners: two German and one Romanian. Emails show advertisements purchased on escort websites. The three phones called and texted with 223 unique phone numbers, with even more conversations with clients visible on third party messaging apps. These phones’ content not only poses a risk to the three owners, but the conversations and contact information of their clients could have been used for extortion or blackmail.

Court documents, public records, and drugs

Some phones had explicit proof of crimes that their owners were accused of in the form of court document PDFs downloaded to the phone. Phones 9 and 10 were owned by the same individual, and have documents for them and their associate. The associate was already incarcerated and facing additional charges for improperly driving a vehicle. The other document was a determination of probable cause summoning the owner to court, facing charges of possessing a stolen and modified firearm, and of possessing methamphetamine and heroin. A witness statement included in the document claimed that this person was a drug dealer. Phone 11 similarly had legal documents explicitly spelling out charges related to drug possession, and many other phones had evidence of drug dealing but lacked court documents alleging explicit charges. One final phone ended activity with the owner checking into a drug rehabilitation program. Public arrest records later show that the owner and an associate they contacted were arrested in a fentanyl bust years later.

Violent crime

The owner of phone 12 was a member of a large violent gang in the US. The phone had a photo of a booking for an associate who was convicted of murder, and a conversation discussing details about another victim of gang violence. Public records show that some time after the phone was in active use, the owner was murdered by a named contact in their phone. Phone 13 has no discussion of violence on the phone itself, but the owner and an associate named on the phone were both arrested years later for second-degree murder.

Harassment and stalking

Phone 14 had multiple applications installed indicating a pattern of harassment or stalking. These included apps for enhancing photos and audio collected from a distance, a "lie detector," an app for detecting hidden cameras, and an app for detecting or preventing wiretapping of phone calls. The phone’s web history also had searches for location and other personal information about one individual, and searches for tools that enable SMS bombing.

We compared the lists of installed (and in one case, deleted) applications from the phones we purchased to lists of known stalkerware [7] and spyware [19], [11] applications. No phones had known stalkerware, and three phones each had one spyware app.

Stolen or lost phones

The arrest of an owner is not the only means by which police can gain possession of a cellphone. The phone may have been submitted as lost-and-found property, or the previous owner may have had their phone stolen by a third party who was later arrested. We witnessed evidence of the latter; the most recent two text and voicemail messages on phone 15 implied that it had been stolen, and were threatening the thief to return it.

At the time of our study, PropertyRoom auction descriptions warned that the devices purchased may be nonfunctional due to "identification of this item as stolen on a telecommunication carriers record." Each cellphone has a unique fingerprint in the form of an IMEI number (or equivalent). The Global System for Mobile Communications (GSMC) maintains a database of IMEI numbers for stolen or lost phones [17]. The US-based cellular trade organization CTIA provides a public interface for consumers to check if their IMEI was previously reported as lost or stolen [8]. Ten of the 207 phones in our dataset with legible IMEI numbers were reported as lost or stolen according to CTIA. Three were unlocked, and two were locked but had SD cards with data that we were able to extract. These phones stored resumes, images of full nudity, a credit card, bank account information, and documents describing former arrests. We conclude from this that users rarely report stolen IMEI numbers and, even when they do, they frequently lack protections from even a low-effort adversary.

A. Methodology and Dataset

We crawled the PropertyRoom website to obtain information about each auction spanning approximately two years: March 5, 2020 [32] to February 28, 2022 [38]. We chose a two-year period somewhat arbitrarily; we wanted a long enough period to be broadly representative, but did not want to overburden the PropertyRoom websites with more crawling. The information on each auction webpage includes the auction’s title, winning bid, category (e.g., "Electronics: Bulk Lots"), and the pseudonymous IDs of the sellers and winning bidders, In total, this comprised 560,020 auctions across all categories (not just cellphones) and all sellers (not just police).

From these, we filtered specifically for the seller ID for police¹³ and the category ID for cellphone bulk lots.¹⁴ There are multiple categories in which police sell phones, but we limit our analysis to bulk lots as we believe they are more likely to contain phones with previous users’ data. This resulted in 5,241 auctions¹⁵. Each auction on PropertyRoom has one or more pictures of the items; we downloaded all of them for the police-sold cellphone bulk lots.

Next, we filtered out re-listed lots. Some lots are auctioned off multiple times, possibly because there were no bidders or the winning bidder did not pay. In such cases, PropertyRoom reuses the photos; we filter out redundant lots by comparing hashes of the images and removing all but the final lot any images appear in. Collectively, this resulted in 4,940 unique bulk cellphone lots sold by police over this two-year period.

Fig. 3

Cumulative number of police-sold phones auctioned within bulk lots on PropertyRoom, March 2020–March 2022.

Show All

B. Phones Sold

First, we investigate the number of phones sold by police in bulk lots over this two-year period. Each auction title includes the precise (e.g., "6") or approximate (e.g., "10+") number of phones in each bulk lot. To estimate the number of phones, we parsed out this number, ignoring the "+". This gives us a lower bound on the number of phones sold; for instance, one auction [39] has 25 phones but only lists "10+" in its title. There are other potential sources of inaccuracies; for one of the lots we purchased, we received a phone that was not originally shown on the website.

In total, over these two years, we observed 33,594 phones that were once in police custody being auctioned on PropertyRoom. Each lot had on average 6.8 phones (median 6), with as few as 2 and as many as 30 [33]. Figure 3 shows the cumulative number of phones over time, indicating that there is a steady flow of phones. We speculate that PropertyRoom maintains a mostly fixed rate of phone sales so as not to allow the supply to exceed demand.

If the set of phones we purchased are representative of the broader population of phones, then we can estimate that over the two-year timespan: 7,219 phones would have arrived unlocked; 1,619 phones would have had easily guessable credentials; 4,569 would have had sensitive information (Table V); and 1,475 would have been blocklisted in the CTIA.

C. Money Spent

The total winning bid amounts over this two-year period was $556,008.92 (excluding the duplicated auctions), with an average of $112.55 per lot and $16.55 per phone.¹⁶ The revenue per lot has remained roughly constant over the two-year window we studied.

This is a considerable sum, but the total revenue of all police-sold auctions on PropertyRoom during this time was $51,181,495; cellphone bulk lots constituted only 1.1% of this total.¹⁷ In 2007, Bovid and Sparks reported that PropertyRoom receives 50% of auction revenues [4].

Fig. 4

Fraction of the 4,940 auctions won by the top 100 buyers. The top-six buyers collectively purchased 51.5% of all of the police-sold bulk lots of cellphones. (We were the 18th ranked buyer, indicated by the solid black line.)

Show All

There are several other categories of note that also contain computing devices: Laptops (total police-sold revenue $909,324), iPhone & iPod ($689,572), Bulk Lots & Other Electronics ($435,511), Smartphones & Cell Phones ($424,789), and iPads & Tablets ($341,799)—representing a total revenue of $2,800,995. We did not investigate nor bid on any items from these categories, preferring instead to focus on the bulk lots of cellphones in particular. However, we believe these other categories also merit study to detect whether they have any sensitive materials.

D. Who Is Buying These?

The 4,940 unique auctions were won by 393 distinct buyers (including us: we bought all of our lots under a single buyer ID). Figure 4 shows the cumulative fraction of auctions won among the top 100 bidders. A small set of bidders won most of the auctions; the top buyer purchased 703 (14.2%) of the auctions for a total of $61,288.04, and the top six buyers collectively purchased 2,545 (51.5%) of the auctions.

PropertyRoom also provides information about the shipping city and state of the winning bidder. The 393 buyers we observed cover most of the US, spanning 40 states and Washington, DC. This shows that the dissemination of potentially private and sensitive data is not limited to any one region.

E. Photos of Auction items

Recall that one of the phones we purchased had a sticky-note attached to it with the phone’s PIN. We sought to understand whether this was a one-off, or if divulging of information about the phone or its owner occurred in other auctions, as well. To answer this, we manually inspected each of the 15,760 unique photos from our two-year window of police-sold, bulk cellphone auctions. Specifically, we looked for any leaks of the private information stored on the phone. These pictures would have been available to bidders at the time of auction.

Police departments

Police departments could wipe phones before selling them or, better yet, destroy them and not sell them at all. The loss of revenue would be small (in §VII-C, we estimate bulk lots of cellphones to constitute only 1.1% of police auction money), and the benefits to protecting citizens would, in our opinion, outweigh it. At the barest minimum, police should consider removing stickers and notes from the phones before releasing them to PropertyRoom, especially if those notes contain the PIN or pattern to unlock the phone as determined by sophisticated forensics tools beyond those available to the general public (as in §VI).

Legislatures

Governments must ultimately consider if the monetary benefit from selling phones in police possession outweighs the risks to everyone involved, especially if it enables victims of crimes like identity theft to have their stolen information sold to another person who could abuse it. At the federal level, entities are already required to take reasonable measures to prevent unauthorized data access or use when disposing of devices that contain consumer information [30]. State legislatures should consider analogous regulations to prohibit the sale of devices in police possession that store personal data. While our paper only investigated auctions in the United States, our recommendations are applicable to anywhere in the world where unclaimed property is auctioned by police.

PropertyRoom and other auction houses

Arguably, sensitive information should never leave a police department’s evidence room in the first place, but pragmatically speaking, auction houses like PropertyRoom are in a unique position to handle the wiping or destruction of phones from many police departments. After our disclosure and as of the time of this writing, PropertyRoom appears to agree that they are in a position to act: they have since adopted an "internal process to ensure personal information has been removed" from all cellphones sold in bulk lots (§III). It is not yet clear if this will be a permanent or universally adopted solution amongst other auction houses; it is possible that taking on the responsibility of wiping the phones’ contents could increase their legal exposure, particularly if they were to wipe incorrectly.

Phone manufacturers and application developers

Certain phones and applications had defense mechanisms that complicated our analysis. Limiting the number of incorrect guesses made it more difficult to guess the credentials to many locked phones; blocklisting common PINs/patterns would have made it even more difficult. Some applications would not allow us investigate and change account settings from within the app itself, and instead required the user to re-authenticate in a web browser. This could help prevent an attacker with physical access to an unlocked phone from gaining all available account information. While these techniques may not thwart a more powerful adversary, they raise the bar enough to preclude a much larger population of potential attackers from gaining access to highly sensitive materials.

Phone auction winners

Looking through the contents of the phone in a non-controlled environment can risk violating the CFAA or exposing the user to psychologically harmful photographs. In §VI, we found that some phones belonged to people with histories of violence, and many phones offer location tracking features that could reveal the buyer’s location to the phone’s previous owner. We recommend not purchasing phones from police auctions, but if one decides to, it is safest and arguably most ethical to wipe the phones immediately upon receiving them.

Original owners of the phones

The original owners of the phones have several mitigation steps they can try to take. First, users should choose nontrivial PINs or patterns. If one’s phone is stolen or lost, they would be well advised to check various online databases and newspapers for reports of unclaimed property (see §II). Barring that, more recent phones have the ability to remotely wipe a lost or stolen device; users should employ these, as well as report their phone’s IMEI as stolen. While it is encouraging that some applications have the ability to require passwords before permitting access, it is also likely that an adversary with access to the phone would have other means by which to recover or guess the password. Users whose phones have been taken should consider changing all of the relevant passwords and freezing financial accounts.