By Bob Sullivan
What would you do if you found a smartphone on the subway or at a coffee shop? If you're like most Americans, you'd rummage through the phone looking for photos, emails and even private banking information. And the chances are only 50-50 that you would try to return the phone.
Computer security firm Symantec Corp. recently conducted an elaborate, first-of-its-kind study on lost smartphones and shared the results exclusively with TODAY and msnbc.com. The company set a trap for human nature, then sat back and watched. The results were not pretty.
Symantec researchers intentionally lost 50 smartphones in cities around the U.S. and in Canada. They were left on newspaper boxes, park benches, elevators and other places that passers-by would quickly spot them. But these weren't just any phones -- they were loaded with tracking and logging software so Symantec employees could physically track them and keep track of everything the finders did with the gadgets.
Symantec Corp.
Symantec Corp. researchers left this cell phone on a newspaper box in New York City -- then used logging software and GPS to watch what happened next.
To spice up the test, the phones had an obvious file named "contacts," making it easy for any finder to connect with the phone's rightful owner. But the phones also offered tempting files, with names like "banking information," and "HR files."
Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were checked by 60 percent. And a folder labeled "private photos" tempted 72 percent.
Collectively, 89 percent of finders clicked on something they probably shouldn't have.
Meanwhile, only 50 percent of finders offered to return the gadgets, even though the owner’s name was listed clearly within the contacts file.
"I wasn't surprised, but I wish I had been,” Kevin Haley, director at Symantec’s security response team, said of the unscientific test. “At the end of the day people’s curiosity is so strong, if you present them with the opportunity, they will do it. You would have hoped most people would have made every effort to return the phone."
It's important to note that most, if not all, of the finders weren’t criminals and did not wake up the day they found the lost phones with the intention of rummaging through someone else's personal information. But the temptation created by finding such a device was apparently too much for most of them -- even for some Good Samaritans who tried to return the phone. The story of one lost phone illustrates this point.
On Feb. 2 at 3:05 p.m., Symantec “lost” a phone in a bathroom at Santa Monica Pier in California. A finder tried to access the phone's contacts application 18 minutes later. Moments later, the finder accessed files labeled “passwords,” “cloud-based docs” and “social networking.”
GPS data indicates the finder moved the phone into a nearby restaurant, then into a mall, and an hour later, to a dog park. At around 5 p.m., the finder opened the Contacts application three times, even there were only two entries listed in it – and one, clearly including an e-mail address and phone number for the owner.
Then the finder continued rummaging around the device, started the File Manager application, and explored files on the gadget's SD card.
The phone then made its way through downtown Los Angeles, eventually settling in East L.A., where the finder opened the passwords file three times. Then, online banking, social networking, contacts, private pix, remote admin and other files were opened in rapid succession. Soon after, the device was plugged into a computer for recharging, and then finally reset to original factory settings, wiping all the logging software off the gadget.
Symantec Corp.
This map shows where one finder moved the phone; a chart on the right shows what apps and files were accessed.
But a guilty conscience eventually won out with this finder. On Wednesday, Feb. 8, nearly a week after the gadget was lost, the finder wrote an e-mail to the supposed owner. It read:
"Hi. I found your phone at the Santa Monica Pier last Thursday (Feb. 2). I used it for like a week but now I feel bad and want to return it. I'm really sorry. :/ What do you want me to do to return it to you?"
Some might consider the 50 percent return rate a victory for humanity, but that wasn't really the point of Symantec's project. The firm wanted to see if -- even among what seem to be honest people -- the urge to peek into someone's personal data was just too strong to resist. It was.
"The most stunning thing to me were the people that attempted to open bank account information - four out of 10 finders. That's, a lot," Haley said.
Another tale of a phone lost near Rockefeller Center in New York City at 4 p.m. on Feb. 2 illustrates this point well.
The finder moved the phone some six blocks north, then repeatedly opened and closed the contacts application, again containing only two entries. One can imagine the finder struggling with his or her conscience like the “Lord of the Rings” character, Gollum, deciding what to do. Between 4:30 and 6:30 p.m., the finder opened most of the other applications, and took many more glimpses into the “contacts” file. At 10:30, activity on the phone stopped.
Symantec Corp.
This phone was left in a bathroom near Los Angeles.
Suddenly, at 4:03 a.m., the phone was used again by its finder -- this time to peek a view of the “HR salaries” file.
"It's like they woke up out of a deep sleep and said, 'Hey there's salary information on that phone. Let me see if I can access it,'” said Haley.
At 6:30 a.m., the finder opened the calendar, private pix, social networking, online banking, HR salaries, remote admin, corporate e-mail and passwords. For the rest of the day, there was near continuous rummaging through the phone, including the eventual launch of File Manager to see the entire phone's contents.
"It's relentless. He can't get into online banking so he goes back to the file that has passwords in it, checks the passwords again and tries again,” Haley said. “He tries to log in remotely to the computer, can't get on so he goes to password to get the password and tries again."
By nightfall, activity on the phone stopped, and it remained relative dormant until it was moved to New York City's Chinatown area at 5:35 a.m. Feb. 9 -- one week after it was lost -- and wiped clean, probably for sale on the black market.
Scott Wright, president of Security Perspectives Inc, helped design the research for Symantec. One statistically insignificant finding he called attention to: the return rate in Ottawa was 70 percent, highest in the study. The lowest return rate – 30 percent – was in New York City.
“Curiosity is a very powerful thing, especially on a mobile,” he said. “The most surprising thing is how obsessed people became with finding personal information off the phones, with accessing e-mail, accessing social network, private pictures. … People didn't give up. They just kept trying again and again over the course of a week to get access to this data and that really surprised me.”
RED TAPE WRESTLING TIPS
The lesson here is obvious: studies show that half to three-fourths of smartphone users don’t password-protect their phones. That’s an invitation to disaster. While most corporations force users to password-protect their phone, many personal users think entering a password is a hassle that interrupts their texting habits.
One lost phone would quickly change that perspective.
After the steady drumbeat of identity theft and lost privacy stories, why would consumers still choose to put their smartphones at risk?
“People haven't thought it through,” Haley said. “Maybe before they had a smartphone, losing an old cell phone was devastating but there wasn't much information on it. Maybe it’s like the frog in a pot of cold water that’s eventually boiled – it wasn’t that bad losing their old phone, so people haven't thought through how much information is now on their smart phones and what could happen if they lost it. We hope this research shows what could happen and sticks out in people's minds.”
Even if you are glass-half-full person, and think a lost phone would find its way back to you, if you don’t use a password you’re still putting your data at great risk.
“The moral of the story is that people may offer to give you your device back, but you shouldn't assume they haven't accessed any of their personal or corporate information on the device,” Wright said.
Of course, PIN-protecting your phone may prevent a Good Samaritan finder using “contacts” to find you. So Haley recommends placing contact information on the outside of the phone, perhaps on the case.
Also, consider technology that allows you to wipe the smartphone’s memory clean in case it’s lost. There are also services like Apple’s MobileMe, which let you locate the phone through a Web page; several commercial services offer similar products.
If you find a phone, the best thing to do is quickly turn it in to the nearest authority – a police officer or the lost & found at the mall, for example. If you really want to gain good gadget karma, and you can determine the service provider, walk it into a nearby Verizon, T-Mobile, Sprint or AT&T store and turn it in there. It’s easy for stores to look up the phone’s serial number and get contact information for the rightful owner.
You might look up the owner on the gadget and send him or her an email. But be realistic about your own human nature. If you don’t think you could resist taking a peek at personal information on the phone, you are probably best handing it off to someone else instead.
*Follow Bob Sullivan on Facebook
*Follow Bob Sullivan on Twitter.
